Susan Rassas, Information Risk Management - Transformation and Engagement Manager, Shell [Euronext: RDSA]
Doing business today is anything but usual and leveraging technology to achieve business objectives is even more crucial. Companies have become more reliant on their digital channels to stay connected with their suppliers, customers and staff. It is also that very reliance on technology which has exposed us to an increased threat of cybercrime. The Covid-19 pandemic has had an unfortunate side effect of enabling cybercrime, to exponentially grow in its frequency and become far more creative in its delivery.
The only way to ensure that we do not fall victim to the ever-evolving cyber threat, is to have an effective counteroffensive strategy in place. A multi-prong educational and digital approach that makes use of data to analyse potential, as well as actual threats to identify the high-risk areas in the business. Without ignoring the lower risk parts, as they could become the next possible target areas.
However, all the best security and antivirus measures that a company puts in place, cannot replace the most effective countermeasure that is readily available to any organisation; its employees.
Since around 90% of cyberattacks begin with an email, successful cyber protection is most effective, when it is coupled with vigilant staff members, who can identify potential threats and act to neutralise them.
At Shell, we have learned that a one-size-fits all approach will not work in today’s sophisticated and constantly shifting cybercrime landscape. The success lies in our ability to target our efforts at specific groups of people, who fulfill certain roles within the company. As this will also identify the level of threat, which they will most likely be exposed to. Education is tailored around multiple persona groups to equip staff with the information, on how to identify the triggers and how to react. Similarly, phishing campaigns are customised to reflect the type of correspondence which these higher risk groups may receive as part of their work – testing their level of alertness.
We persistently drive a security culture within Shell and give recognition to desired behaviour, where staff are acknowledged for acting against phishing attacks. This helps us to entrench the security culture further.
Covid-19 has also added another complexity to our ability to counter cyber-attacks. As most staff work from home, they become exposed to a new set of risks. To help them to mitigate those risks, it became essential that they were firstly aware of them and secondly, that they had the right tools and information to counter them. This is an ongoing challenge that we will face for the foreseeable future. While our standard defenses deter most of the phishing attacks, Shell CyberDefence has deployed additional monitoring of emails and blocks for emails sent from uncategorised domains.
We have recognised that these factors pose a credible risk to our data security. Shell has invested a significant amount of time and effort, to put measures in place to educate our staff about the inherent dangers of cybercrime. We also found that by running phishing simulations that incorporate the last criminal tactics, we created a viable platform for staff to learn about cybercrime and the importance of vigilance. We are then able to analyse how effective our training has been, and which user groups require additional attention. Leaders receive these reports to ensure that cyber security continues to remain on their agenda. We constantly learn and evolve.