enterprisesecuritymag

Keeping Up with the Pace of Change in Cybersecurity

By Susan Rassas, Information Risk Management Education and Awareness Lead, Shell

Susan Rassas, Information Risk Management Education and Awareness Lead, Shell

Doing business today is anything but usual and leveraging technology to achieve business objectives is even more crucial. Companies have become more reliant on their digital channels to stay connected with their suppliers, customers, and staff. It is also that very reliance on technology that has exposed us to an increased threat of cybercrime. The Covid-19 pandemic has had an unfortunate side effect of enabling cybercrime to exponentially grow in its frequency and become far more creative in its delivery.

The only way to ensure that we do not fall victim to the ever-evolving cyber threat is to have an effective counteroffensive strategy in place— a multi-pronged educational and digital approach that makes use of data to analyse potential as well as actual threats to identify the high-risk areas in the business. This should be done without ignoring the lower risk parts, as they could become the next possible target areas.

"The Covid-19 pandemic has had an unfortunate side effect of enabling cybercrime to exponentially grow in its frequency and become far more creative in its delivery"

However, all the best security and antivirus measures a company puts in place cannot replace the most effective countermeasure that is readily available to any organisation; its employees. Since around 90 percent of cyber-attacks begin with an email, successful cyber protection is most effective when it is coupled with vigilant staff members, who can identify potential threats and act to neutralise them.

At Shell, we have learned that a one-size-fits-all approach will not work in today’s sophisticated and constantly shifting cybercrime landscape. The success lies in our ability to target our efforts at specific groups of people who fulfill certain roles within the company.  This will also identify the level of threat, which they will most likely be exposed to. Education is tailored around multiple persona groups to equip staff with the information on how to identify the triggers and how to react. Similarly, phishing campaigns are customised to reflect the type of correspondence which these higher-risk groups may receive as part of their work—testing their level of alertness.

We persistently drive a security culture within Shell and give recognition to desired behaviour, where the staff is acknowledged for acting against phishing attacks. This helps us to entrench the security culture further. 

Covid-19 has also added another complexity to our ability to counter cyber-attacks. As most staff work from home, they become exposed to a new set of risks. To help them mitigate those risks, it became essential that they were first aware of them, and secondly, that they had the right tools and information to counter them. This is an ongoing challenge that we will face for the foreseeable future. While our standard defenses deter most of the phishing attacks, Shell CyberDefence has deployed additional monitoring of emails and blocks for emails sent from uncategorised domains.

We have recognised that these factors pose a credible risk to our data security. Shell has invested a significant amount of time and effort to put measures in place for educating our staff about the inherent dangers of cybercrime. By running phishing simulations that incorporate the last criminal tactics, we created a viable platform for staff to learn about cybercrime and the importance of vigilance. We were then able to analyse how effective our training has been and which user groups require additional attention. Leaders receive these reports to ensure that cyber security continues to remain on their agenda. We constantly learn and evolve.

Weekly Brief

Read Also

Vulnerabilities in the Cloud

Vulnerabilities in the Cloud

Steve Lodin, Sr. Director, Sallie Mae Bank
Preempting Future Risks with Advanced Security Technologies

Preempting Future Risks with Advanced Security Technologies

TzerYeu Pang, Head of Information Security Office, Mediacorp
Maturity of Vulnerability Management in Securing an Organization's IT Assets

Maturity of Vulnerability Management in Securing an Organization's...

Nichole Bray, Director of Vulnerability Management, Global Tech Information Security, Walmart
A Perspective on Vulnerability Management

A Perspective on Vulnerability Management

Gary Sprague , Director, Information Security, Compliance & Privacy Officer, Rent-A-Center
A Cloud Services Security Playbook

A Cloud Services Security Playbook

Arun DeSouza, CISO & CPO, Nexteer Automotive
Managing Access-Point-Risk without Interfering Too Much With Business Processes Efficiency.

Managing Access-Point-Risk without Interfering Too Much With...

Luther Uthayakumaran, Head Strategy and Innovation, Sydney Water