Maksim Kabakou - Fotolia

Security Think Tank: Employees are one of the greatest defences

What strategies should organisations follow to block malware attachments which continue to account for two-thirds of malware infections that result in data breaches?

Malware is very frequently delivered by email. The trusty attachment has served criminals well and, given that we are clearly still opening them, they seem happy to continue their use.

Part of malware distribution is found in the increasing use of other web-enabled systems and devices, such as air conditioning management or hospital imaging systems. A business with only an email system or standard corporate network to consider will most likely limit change management and training to that area. This is not the case for most, however, and even security systems can be used to malware payload infection.

If we consider the recent ransomware outbreak that affected the NHS, we can see this in action, as many systems compromised were not computers as such but were things like imaging systems, which were using legacy platforms. But the question here was related to email attachments and so, naturally, we need to start with people.

When it comes to information security, employees are often cited as the greatest vulnerability in many surveys and reports. According to the ICO, it is beyond question that the majority of data breaches come from human interaction with data and information.

Errors such as emailing something sensitive to the wrong distribution list, losing paperwork or faxing the wrong recipient (yes, some people still use fax machines) are common entrants on lists of data breach cause, year after year, if you view the results on the ICO website.

But how many employees are genuinely engaged with security in our organisations and businesses? After all, it doesn’t happen automatically or by magic. But our employees need to be engaged. Engaged employees are usually well-informed employees. To be well-informed, they need their training and education to be relevant to them and to their roles and responsibilities.

A one-size-fits-all approach will not work as well as a tailored one that deals with examples they recognise and respond to. Giving them 20 minutes of e-learning a year will also be unlikely to suit all employee security needs, as there will be varying degrees of ability and understanding and a policy-driven approach, while supporting general business policy adherence does not necessarily increase good hygiene or improve overall capability or culture.

Employees are one of the greatest defenses an organisation has. The nuanced response of an employee who has been well-trained and recognises that something is amiss with an attachment – that may well have made it past technology boundaries and security measures – is invaluable.

We need to use quality technology to back up well-trained staff, who are fully bought into a culture that recognises the part every individual plays in the security of their business. But data failure tends to start and end with a human, so we need to make sure they are fully enabled to take action. There needs to be clear guidance on how they should handle malware threats. 

We need to make sure that there is no reliance on technology, either from staff or management. Instead, we need to blend technology such as email scanning and network monitoring into our overall security strategy and be open with employees about measures such as email monitoring.

With their support and well-trained anticipation of security threats comes the beginning of the real change needed so the culture will become one of resilience and readiness, with everyone playing their part.

Read more on Hackers and cybercrime prevention