As we celebrate this year’s Cyber Security Awareness Month, our Head of Cyber Security Opeyemi Ore presents some of the latest measures that we have put in place to protect our systems and data. He also explains how we are taking this opportunity to increase employee awareness on techniques such as phishing and spear phishing, to strengthen our ‘human firewall’ against cyber criminals.
October is an important month in the calendar for cyber security professionals, and a useful reminder of just how important it is for all of us to be cyber aware, in both our professional and personal lives. However, as I have been reminding our colleagues in our recent internal security awareness sessions, cyber security is not something that we focus on for only one month of the year. Nor could we afford to. Digitalisation has brought many benefits, but it has also increased the risks from malicious actors seeking to compromise company systems, and sabotage sensitive data.
A group-wide cyber security programme
Cyber security is a particularly important topic for us at TLScontact, as the processor of large quantities of personal data submitted by customers applying for visas with our government clients. In recent years, we have made significant investments to strengthen our cyber defences. As part of a group-wide programme undertaken with our parent company Teleperformance, we have focused on:
- Improving the security of our user directory;
- Enhancing our software development capabilities to identify potential code defects in our web applications;
- Filtering out online bots trying to compromise our web services;
- Improving our log monitoring capabilities; and
- Uplifting the security capabilities within our cloud platform.
Read our article Managing emerging cyber threats in an uncertain climate
Employee awareness: essential to building strong cyber defences
Our employees remain an important line of defence in our efforts to fight cyber crime. That is why we are running training and awareness-raising activities throughout this month, to alert our staff to different cyber threats and how to deal with them.
This year, we are concentrating on phishing, which is also one of the key themes selected for this year’s European Cyber Security Month. According to KnowBe4, a company specialised in security awareness training and simulated phishing attacks, more than 90% of successful hacks and data breaches start with phishing scams. Employees might receive fake invoices or purchase orders, requests for information, or HR-related messages that can all look very authentic, but that might allow a cyber criminal access to their company’s IT systems.
Working with KnowBe4, we are carrying out extensive training with our employees, through live ‘Cyber Talks’ sessions with our cyber security team and interactive online training modules to remind our colleagues of how to spot a potential phishing attack and how to react. We also run regular simulated phishing attacks to test user behaviour.
Phishing: how to spot an attack
As we have explained to our colleagues, phishing emails can look very official, but there are generally a few tell-tale signs:
- Phishing emails often contain spelling mistakes;
- They may be sent from an unfamiliar email address or domain;
- There is always a call-to-action (CTA): generally a link to click, a file to download, or a form to complete with personal details such as a password or Personal Identification Number (PIN);
- Phishing emails always give a sense of urgency, encouraging the user to carry out an action within the next hour, or day.
Phishing attacks are becoming increasingly sophisticated and spear phishing emails even include more personalised content, after research has been carried out on the target, to make them appear more authentic. We therefore need to be on constant alert and aware of the latest methods being used by cyber criminals.
To streamline our efforts to fight phishing attacks, our newly implemented Phish Alert Button allows our employees to report suspected phishing emails in one click from their inbox, alerting our cyber security team and instantly removing the suspicious email, so that it can be analysed.
As we say at TLScontact, cyber security is everyone’s job. You can have the most advanced technical systems available, but employee behaviour remains a critical component in any cyber defences. Through our ongoing employee training and awareness-building, we are aiming to strengthen our ‘human firewall’ and thereby ensure the best possible protection of our systems and customer data from malicious actors.
Article written by
Opeyemi Ore, Head of Cyber Security