When it comes to cyber awareness and securing your business against today’s threats, everyone in your organization – from the board room to the break room -- has an important role to play. But just like any other major risk, it must be managed very proactively from the top.
And with the frequency and severity of these types of attacks against business on the risk, the stakes are simply too high to ignore the risks.
A cyber attack against your business could result in immediate financial loss stemming from downtime, lost sales, lost customers, or even lawsuits and fines. But even worse, it can result in long-term losses as a result of loss of trust and damage to your brand that just can’t be undone. In some cases, businesses are never able to recover from such losses.
Cybersecurity Threats Are Everywhere
Too often there is still a feeling that the threats only come from individual hackers who are working to break into the network from the outside. And while that may also be true, the reality is that all too often a data breach occurs from within the network, quite unintentionally (on the part of the employee).
How is this possible? Here are some common ways this can occur:
- An employee brings in a personal USB memory stick that is infected with malware. When the flash drive is plugged into his/her computer, the malware is transferred to the corporate network where it goes to work gathering data.
- An employee accesses the company network from an unsecured home network; this leaves the company device (laptop, tablet, etc.) vulnerable, which in turn is a threat to the corporate network.
- Lost or stolen laptop or other device that contains sensitive data…without full-disk encryption or remote wipe capabilities, there is no option to prevent access via the stolen or lost device.
- Use of unsecured cloud-based services such as Dropbox; while convenient, they often lack the security protocols that a corporate network requires for data security.
- End-users with weak passwords for cloud-based services or the network itself.
- End-users who fall for phishing scams or other social engineering tactics that are designed to trick the individual into giving them access. (Social media has made it easier than ever for hackers to gather just enough intelligence on someone to create very convincing e-mail scams.)
- Don’t forget that disgruntled employees are also a risk. Is there anything stopped a disgruntled team member from transferring company data to a flash drive and walking out the door?
Educating Your End-Users is Critical
The best network security measures in the world are meaningless if your end-users are working (either knowingly or more commonly, unknowingly) against you.
The best analogy is that you can install the most cutting-edge security and surveillance system around to protect your house. But if the intruder knocks politely at the front door (which, by the way, is MUCH less work than trying to break in through a basement window) and you unwittingly open the door and welcome him inside, then that security system doesn’t do you one bit of good.
And unfortunately that is exactly where cyber-threats are trending and why cyber awareness is so critical to your overall network security. It's also why every business leader needs to make cyber awareness a top priority.
Using sophisticated social engineering tactics, hackers are persuading your end-users to open up the door and let them inside, saving them the hassle of trying to crack passwords and hack in themselves. A prime method for this is phishing.
Industry experts estimate that better than 93% of all phishing emails now contain ransomware encryption. With a new phishing attack detected every minute of every day, that’s a lot of chances for someone on your team to fall for one of them.
Which brings us to the really unsettling news that end-users ARE falling for it. A 2016 Data Breah Investigations Report conducted by Verizonfound that about 30% of all phishing emails are opened and that about 12% of the people who are targeted click on the link or attachment.
Remember that it only takes 1 bad click to take down your business network.
Establish Cybersecurity Policies and Procedures
As a business leader, make sure you have cyber awareness policies and practices in place to educate and train employees, as well as identify potential risks and then take steps to mitigate them. Training your employees is critical to any network security plan, because human error is a major source of data breaches, data loss and unwanted downtime.
Make sure your employees are educated on:
- Keeping a clean machine…define what programs can – and can’t – be installed on work computers. And then audit and hold employees accountable for abiding by these policies.
- Following good password practices…passwords should be long and strong, changed on a regularly basis, and not written down on a post-it note that is stuck to the computer monitor. The same password should not be used to access every account. Using a password manager is a best practice that should be encouraged.
- Avoiding phishing emails…make sure all end-users are educated on the red flags of a phishing attack, and establish standard protocols for certain types of processes. For example, mandate that any requests for financial transactions be communicated and/or verified via phone or in person.
- Backing up all work…have standard practices (automated backups are best) in place for backing up data and ensure that all employees are aware of them.
- Keeping software up-to-date...while best practice is to have one IT resource managing automated updates, if that isn't the case at least make sure that your end-users are ignoring those prompts to install updates. These updates are patching security vulnerabilities and are critical for strong network security.
- Staying alert…employees should understand that if it sounds too good to be true, it is. They should treat any unknown or unexpected emails or alerts suspiciously and verify as needed BEFORE taking action. If anything is “off” about a communication, confirm it before proceeding.
- Speaking up if something does happen…if an end-user does happen to click on a bad link or attachment, do they know what to do? Immediately alerting your IT department or resource can at least help to mitigate the impact. Any network security or cyber awareness plan should include what to do in the event of a successful breach.