2 May 2024 | By Jesse Brett
Embracing the AI Revolution with Microsoft 365 Copilot
Copilot offers significant productivity gains, but before embracing the AI Revolution, businesses must lay a secure foundation for optimal use.
Read moreFrom misconfigured systems to falling victim to social engineering attacks, human error continues to be a leading factor in cyber security incidents, according to Verizon’s annual Data Breach Investigations Report[1]. In fact, 74% of breaches last year involved the human element. It’s clear that human error — whether inadvertent or malicious — can have serious consequences.
Human behaviour can be your greatest weakness (or strength) when it comes to securing your data. And while technology does play a key role in this, it can be easy to overlook that an organisation’s underlying policies and culture form the bedrock of an effective information security strategy — with technology augmenting, not replacing it.
With that in mind, it’s vital to go back to basics and develop a company culture of cyber awareness and collective responsibility. One essential component of this is GRC, a set of practices and processes that can help companies manage risk, meet compliance requirements and improve decision-making. All of this can help minimise the impact of an incident when one inevitably occurs.
GRC encompasses three key components:
By having strong GRC practices in place, an organisation can minimise the risk of legal or regulatory issues, protect its reputation and ensure it can operate effectively and efficiently. And one of the key benefits of having clearly established policies and processes in place is that it can help significantly reduce human error because it explicitly defines what people should be doing. Combined with ongoing security awareness training, this can empower employees to be part of a wider defence in terms of information security.
To capitalise on the benefits of GRC practices, organisations should consider the following:
Performing routine independent audits against an established information security standard or framework is an essential step for verifying your security strategy and can give a strong indication of your organisation’s current maturity, as well as identify any gaps that can then be addressed.
One of the most effective ways to mitigate human error is through comprehensive, ongoing and quantifiable security awareness training. By raising awareness and providing practical guidance on identifying and responding to these threats, employees can become the first line of defence.
Organisations should carefully manage user access to systems, networks and sensitive data based on zero-trust principles, which includes giving employees only the minimum level of access required to perform their job functions. These controls should be subject to regular business reviews to ensure they stay in line with changing business requirements.
Despite all preventative measures, data loss incidents can still occur, so having a well-defined and rehearsed incident response plan is critical to minimise the impact of any potential damage. This plan should outline the steps to be taken in the event of a breach, including defining roles and responsibilities and simulating attacks at least annually, with the learning points fed back into GRC practices each time.
Earlier this month, a supply chain cyber attack affecting several high-profile companies hit the headlines, with the fallout still ongoing at the time of writing. This mass hack breached a file transfer app called MOVEit, which is used by thousands of businesses around the world[2]. The group behind this breach, known as Clop, previously announced that it was moving away from ransomware toward data-theft extortion[3].
With this new emerging attack model, having stringent GRC practices in place is more important than ever. Because now, if a threat actor can successfully phish just one relevant person, they can simply steal their data without the additional dwell time required for ransomware attacks, making it more challenging to discover.
Although GRC practices alone can’t eliminate human error, by their very nature they provide a strong foundation for reducing the risks associated with it. When people (an empowered and educated workforce) are combined with the correct processes (GRC practices) and the relevant technology, organisations can proactively address potential risks and respond swiftly to mitigate them. To discuss your information security strategy, call our specialist team today on 03330 11 22 55.
[1] 2023 Data Breach Investigations Report | Verizon
[2] MOVEit vulnerability and Zellis incident – NCSC.GOV.UK
[3] Clop ransomware claims responsibility for MOVEit extortion attacks (bleepingcomputer.com)