When it comes to people and security, there are three schools of thought – they’re either your greatest strength, your biggest weakness or they’re both.
On the one hand, humans represent a huge vulnerability when it comes to keeping an organization secure. Just think of the potential to fall prey to a phishing scam, download a virus or lose vital company data. These things happen every single day. Usually it’s an honest mistake, other times malicious intent, but the result is always nearly the same – a pay day for a hacker and reputational damage for your brand.
But given the right amount of training and support, an organization’s employees (and not just those working in the IT department) can become their best line of defence. It takes time and investment, but the rewards are worth it – it builds resilience, confidence, minimizes the risk of an attack, reduces the margin for human error and creates a culture rooted in robust cybersecurity practices.
“You only have to be wrong once”
The simple fact is computers are designed to be secure – people are not, and threat actors know this. In fact, they prey on it because they know they only need one opportunity to compromise an entire network.
“You only have to be wrong once,” a leading cybersecurity advisor at a California-based tech firm told executives during a recent Meet the Boss virtual roundtable.
“Education is important, but you need to have the necessary technology and tools in place so that I – as an employee – don’t have to care about the education you give me…I work with a lot of clients, and I always say, even if you make a mistake, how do we ensure you have a copy of your data that cannot be compromised?”
This cybersecurity advisor also shared it’s important to tie company revenue to personal action. “You’ve got to question every assumption, you’ve got to have back-ups…and we need to tie company revenue to personal action. You can tell your employees to do something and they may think ‘I’m not going to do this because I don’t need to’.”
“But the switch we need to make is telling them do something because if their account is compromised, hackers will use their data to impact our revenue. I want people to really think about that – trying not to be compromised is [ultimately] their responsibility.”
Risk or asset? You decide.
The notion that “people are a company’s greatest weakness” is a dangerous, self-fulfilling prophecy. Adopting that mentality will result in an unengaged workforce who fail to learn from their mistakes.
But the reverse is also true. A business that empowers its employees, shows them why cybersecurity is such a pressing concern and teaches them to identify warning signs before they become actual problems, will not only avoid being hacked but will realize just how valuable people are in the ongoing fight against cybercrime.
Take phishing emails, for example. If a business doesn’t regularly test its own cybersecurity, employees will never learn how to spot suspicious activity. The first time a phishing email lands in their inbox, there is a good chance they’ll click on it – and a single click is all it takes to covertly install malware on your system.
Sending fake phishing emails is a great way to test just how prepared your employees are. Those who fall for the scam will need to be educated on how to spot a phishing email and avoid clicking on them in the future.
Cyberattacks are on the rise
- 2021 saw the highest average cost of a data breach in 17 years, with the cost rising from US $3.86 million to US $4.24 million on an annual basis.
- The Covid-19-powered shift to remote work had a direct impact on the costs of data breaches. The average cost of a data breach was US $1.07 million higher where remote work was a factor in causing the breach.
- The most common cause of data breaches was pilfered user credentials. As a commonly used attack vector, these were responsible for 20% of breaches, with these breaches causing the average cost of US $4.37 million.
- A total of 82% of organisations have admitted to increasing their cybersecurity budgets over the past year, with these funds accounting for up to 15% of total IT spending.
What these statistics show is that cyberattacks are becoming more frequent. But what they don’t necessarily show is how much more sophisticated they’re becoming.
“Historically, threat actors would target the large corporations and go for that one hit,” the Senior Vice President of a major US financial services company told business leaders at a recent Meet the Boss event.
“They’ve recently got far more intelligent. They’ve realized they don’t need one hit at $80million when they can have 80 hits at $1million.”
The financial services executive also touched on the fact that hackers take advantage of social media. “They target individual people – social media makes people very vulnerable. If you don’t have social media, you think you’re fine but then you don’t have visibility of what someone might be doing with your pictures or information.”
“There’s ways of hacking your mobile device and accessing your data. So then, once that’s happened, the question then becomes how do you get your systems back? If ransomware comes in, what do you do? This extends to resiliency exercises and the rebuilding of your data. Do regular testing, validation and ensure things are being done properly.”
Going from strength to strength
1. Training
It starts (and ends) with education.
Most employees don’t realize they’re a weak link and assume there are defences in place that are designed to protect against threats. What they need to understand is the role they play in protecting the company’s online footprint and keeping the business safe.
Maintaining an open dialogue between employees and your company’s IT department is crucial – not only to keep cybersecurity front of mind, but also to keep everyone up to date on the latest security trends.
2. A positive culture
Encourage employees to flag suspicious activity, rather than punishing them for any mistakes. Be clear on best practices for passwords, the company’s policies and how they can avoid being compromised in the future.
As well as this, be transparent about security breaches. Discuss them with your teams and explain what happened. This will help further your employees’ understanding of the part they play in the security of the business.
Other handy tips shared by Meet the Boss executives at a recent cybersecurity-themed roundtable include:
- Adopt a ‘target’ mindset: Encourage employees to think of themselves as individual targets, rather than the overall organization. Security doesn’t start with controls; it starts with a single person.
- Restrict access where possible: Segment your environment and ensure teams only have access to the information they need.
- Third party checks: If your company has partnered with a third-party on security, ensure they’re doing regular resilience checks – and are providing evidence of this.
- Sensitive information on company devices: Make sure your employees know not to perform personal transactions using company devices.
3. Technology is the key
Beyond regular training and a positive culture, having the right tools to empower your staff is crucial. Human-layer security solutions will protect people against inbound phishing threats and protect them from outbound data loss when they send emails.
Keep your systems up to date, use multi-factor authentication and implement a strong password policy.
In today’s digital age, training your workforce in cybersecurity should be the norm in any organisation. Hackers and cyber criminals strive to perfect their craft and exploit the vulnerabilities of organisations — so companies should, too.
GDS Summits are tailored 3-day virtual event conferences that bring together business leaders and solution providers to accelerate sales cycles, industry conversations and outcomes. Regarding the Security Digital Summits 88% of Solution Providers said the overall experience of the Digital Summit they attended was Above Average or Excellent and 88% of Solution Providers said they would be interested in sponsoring future events.
For more, click here to hear from attendees on how GDS has helped them to achieve their business outcomes.
Continue the debate at GDS’ Security Digital Summits where we bring together senior security executives who are actively seeking to share, learn, engage, and find the best solutions.
