When hackers breached retail giant Target’s databases, they stole the credit and debit card information of more than 40 million customers. It remains one of the largest cybersecurity hacks in history.
Fast forward to today, and 2018 has seen trending news of cybersecurity incidents strike Macy’s, Whole Foods, Delta, Under Armour, Uber, Panera Bread and many, many more. This doesn’t even mention the cybersecurity tsunamis that have come to be synonymous with data-protection failures, network-security lapses or general IT infrastructure mismanagement.
It’s not just the big guys getting attacked. Small businesses make up nearly 61 percent of all cyber attack targets, up from 55 percent in 2016. Between halted operations and damage reparations, cyberattack cost the average small to medium business (SMB) over $2 million and have been known to shut down entire enterprises — sometimes permanently.
And remember that Target breach? It struck not because of internal, corporate IT negligence but because of a gateway that hackers found in one of Target’s HVAC vendors.
It’s hard to ignore what all this indicates — cyber threats are far more interwoven — and prevalent — than what meets the eye. When it comes to your employees’ preparedness in particular during the event of a cybersecurity emergency, organizations can no longer roll the dice.
Why It’s Important Now
Negligent employees, contractors and third-party vendors represent the cause of over half of all enterprise data breaches.
This is a sobering statistic, one that keeps network administrators and IT managers up at night. After all, employee negligence hardly represents intent. More often than not, good-intentioned employees make mistakes or skirt safe IT protocols because they’re tricked, rushed for time or are unaware there’s protocol set in the first place.
With cybersecurity incidents only projected to rise, so does the potential for employee errors and the employee-enacted data breaches that statistically precede them. The following workplace and cultural trends only emphasize why it’s more important than ever to establish cybersecurity awareness training with your employees:
1. Remote Work/Telecommuting
Telecommuting has become a reality rather than a fantasy for many workers thanks to mobile and cloud technologies. In less than ten years, businesses across the country have been able to incorporate substantial work-from-home policies, reshaping the ways companies view productivity, profitability and what it means to be a “good” worker.
- Half of the U.S. workforce currently holds a job compatible with telecommuting.
- Over 40 percent of businesses offer some form of flex work or a work-from-home option.
- Between 20 and 25 percent of the U.S. workforce already telecommutes with some frequency.
- Around 4 million people work at least half-time from home, or two to three days a week.
- By 2020, estimates show nearly 50 percent of workers will be working remotely at least part-time.
The same mobile and cloud technologies that have unleashed telecommuting also spells its greatest risk. For starters, businesses must shore up end-to-end remote networks for employees to safely connect back to the office. What’s more, these same employees must understand security liabilities and best-practices amongst any personal devices used for work or be offered corporate laptops, smartphones and more imbued with company-approved security features. Such efforts take commitment, time and training — hallmarks of cybersecurity awareness programs.
2. Increased Government Regulation
The importance of cybersecurity practices, training and systems isn’t isolated to private, internal business operations. Government agencies and legislators are catching on as well, with ripple effects that have changed the way private and public enterprises alike must protect their digital systems and information.
The past two decades have seen both state and federal movements to draft cybersecurity regulations. Within these, guidelines and mandates provide a structure for how businesses must install “reasonable” levels of security through protective software and hardware, as well as maintain “required security practices” amongst their employees, contractors and vendors.
Certain industries are affected by cybersecurity regulatory requirements more than others. For example, healthcare, finance and government contractors face industry-specific directives, most notably through the three following statutes, respectively:
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Gramm-Leach-Bliley Act (GLBA), otherwise known as the Financial Services Modernization Act
- The Homeland Security Act and the Federal Information Security Mangement Act (FISMA)
Depending on your industry, you may be required to perform routine cybersecurity awareness training in addition to these compliance measures.
3. The Internet of Things (IoT)
While we’re currently still in the infancy of a widespread Internet of Things, businesses and their employees across the country must be preemptive, not reactive, to its impending landscape. With the vast majority of employees using a personal device to access company networks or perform company work — and those devices poised to be more interconnected and communicative with other devices and networks — cybersecurity vulnerabilities only compound.
The IoT makes “bring your own device” (BYOD) workplace policies and standardized best-practices even more pressing. After all, many employee mobile devices today lack appropriate defenses against threats like mobile malware, email phishing and more.
Types of Attacks Employees Are Susceptible To
Strong security awareness training should directly address today’s (and tomorrow’s) most pressing cybersecurity hazards.
In other words, training prepares employees, which in turn prepares enterprises. The more your employees know, the more they’re able to identify and avoid the following cybersecurity storms:
Also known as social-engineering attacks, phishing constitutes the most common form of business cyber threats. Almost half of surveyed SMBs experienced a phishing-based security breach attempt, while large companies and organizations follow right behind, at 42 percent.
Phishing scams aim for employees to click malicious links or download tainted materials, typically embedded in emails. These links then establish a direct gateway for cybercriminals to breach private networks and extract data. Links can appear internal or external facing, with phishers becoming increasingly sophisticated, manipulating SSL encryption and HTTPS to lure employees into thinking a website or profile is safe.
Similarly, phishing also extends to emails and messages that aim to elicit sensitive information from your employees directly. Emails appear to come from another employer, manager or even a familiar third-party, tricking employees into thinking they’re responding to something business-critical.
2. Malware Email Attacks
Malware email attacks are a subset of broader malware threats that use email downloads as their primary weapon. They’re also a risk category on the rise, with Symantec’s 2018 Internet Security Threat Report indicating that nearly 88 percent of these attacks use malware-laden email attachments employees download to breach a device, server or network.
One click from an employee is all it takes. Once a tainted attachment is downloaded, the malware infects its target and can cause irreversible damage to files, databases and even the entire server.
Watchdog reports indicate over 72 percent of email malware breaches occur in businesses with 100 employees or fewer. Small businesses themselves are technically defined as those with 250 employees or fewer. Similar email malware attack studies have found that the average small business receives at least nine infected emails a month per employee.
3. Fileless Attacks
One of the more contemporary cybersecurity threats is known as a fileless attack. As its name suggests, fileless attacks do not rely on malicious attachments or links. Instead, they work with what’s already there — software, applications and programs your employees use regularly that may be vulnerable due to age or lack of updates.
Fileless attacks are ten times more likely to succeed than traditional, file-based email phishing or attachment scams. That’s because they can be nearly untraceable to the average worker. Once an attacker has exploited an application vulnerability, they effectively build a digital portal only they can cross. That bridge allows them to spy, take control, administer and even extract sensitive data straight from core operating systems.
Fileless attacks remain relatively unknown to the average employee. To compound the issue, most anti-virus or intrusion detection software isn’t designed to root out these threats.
4. Employee Errors
Human errors leading to data breaches and sensitive information leaks account for nearly a third of enterprise security incidents overall.
These numbers fall behind only phishing and malware attachment attacks in terms of prevalence. And while it may sound the least harmful of cybersecurity attack types, it’s far from it. Even small employee errors can result in everything from regulatory noncompliance to irreconcilable data loss, typically after the following accidents:
- Unintended disclosures, such as faxes sent to the wrong extension, emails sent to the wrong recipient or files being shared with the wrong vendor.
- Improper disposals, primarily when employees do not dispose of paper-based documents containing sensitive data in a thorough, secure manner.
- Accidental deletions, with employees erasing important files or entire databases. This issue gets compounded if a department or organization has not been habitually backing up data.
The Awareness Tactics You Should Use
When it comes to cybersecurity awareness, the best defense truly is a strong offense.
Businesses can’t rest on their laurels, maintaining legacy systems or recycling the same old security practices. Network managers have a range of tactics to deploy to educate employees and nurture stronger cybersecurity awareness.
1. Speak Their Language
Leave the technical jargon, industry-speak and million-dollar words at the door. You’re engaging real people across real, diverse departments, not writing a dissertation.
Cybersecurity awareness will stick when it’s tailored to its audience. Highlight specific examples of how new policies and procedures will make employees’ work lives easier, not more tedious or stressful. Walk them through department-specific, pertinent security examples. Use relevant metaphors. And most of all, keep things common sense. Practical, everyday solutions go a long way to risk-mitigate employee errors.
2. Make Trainings Engaging…
The best tactic to institutionalize cybersecurity awareness training is to make it a full activity for your employees, not a passive obligation.
Many strategies can be employed to do so. Paper sessions, quizzes and questionnaires completed beforehand primes employees for their security insights and experiences. These provide direct fodder for the materials covered during training, with employees more invested in what’s discussed since they’ve already put time and thought into it.
Furthermore, don’t be afraid to step outside the box when it comes to the training and presentations themselves. Utilize multimedia, stories and even hands-on activities for more impactful sessions.
3. …And Quantifiable
Awareness tactics are only as good as their results. And the results are only good if they can be seen and measured. For security awareness training, identify performance goals and their baselines before new policies and procedures get implemented. Track these goals with relevant KPIs, then tweak and tailor accordingly.
4. Remain Positive
Scare tactics and apocalyptic breach stories only go so far, particularly to non-tech employees who may see themselves as removed from the cybersecurity and IT narrative.
Instead, balance stressing the importance of cybersecurity awareness with positive updates. Report on progress, share examples of jobs and tasks made safer as well as errors caught or threats mitigated. This keeps up momentum and reframes the importance of cybersecurity from doom-and-gloom vigilance to victory.
The work network managers and IT personnel do is only part of the puzzle. If cybersecurity organizational buy-in across departments doesn’t take hold, then any effort will inevitably fall short of outlined goals.
The key to inter-departmental institutionalization lies in the three “Fs” — focus, functionality and frequency. When cultivated, the three Fs bring all employees on board for a tighter, more cyber-secure environment.
1. Start With the Passwords
Maintaining a robust employee password policy is like eating vegetables — everyone knows they should be doing it, but few actually do.
This needs to change. Over 59 percent of IT managers surveyed stated they did not have administrative visibility into their employees’ password practices. This opens the floodgates for security risks, with employees potentially recycling the same word or phrase — if they’re changing it at all.
Employing password standards is a baseline cybersecurity awareness measure, but one that works. When combined with multi-factored authenticity, strong passwords create the first line of network and application defense employees everywhere can take ownership of.
2. Implement Access-Only Applications
Creating access-only applications and files helps reduce the chance of employee errors, such as unintended disclosures or accidental deletions. It also risk-mitigates the extent to which certain fileless attacks can burrow into databases. A smaller pool of people with application access means a smaller pool of targets for hackers.
What’s more, depending on your organization’s industry, installing access-only permissions might be a mandatory regulatory standard.
3. Be Choosy When It Comes to Software
Software used cross-departmentally and throughout the entire organization must be vetted and researched, with particular attention paid to their end-to-end encryption features. Department managers each bear a responsibility to conduct such assessments and add core applications to an organizational whitelist, the series of approved software all employees can use.
While tactics like whitelisting aren’t foolproof, they give departments a leg-up on controlling illicit network and server gateways. It also complements other end-to-end point security activities, allowing organizations to be more aware of safer everyday operations, from how employees message one another to how third parties receive essential files.
4. Consider Certifications
Certifications like the ISO standards were created to bulk up a business’ information-security management. It builds data storage, security, utilization and communications best-practices into enterprise practices, allowing them to analyze current vulnerabilities and tailor contemporary solutions.
Also, ISO certifications aren’t evergreen — a pivotal perk when it comes to technology. Updating certifications keeps a business constantly in the know of cutting-edge cybersecurity threats and solutions. It also bolsters compliance efforts and instills an all-hands-on-deck, interdepartmental attention to preventing breaches, hacks and data loss.
You can’t turn back the clock on organizational security awareness. But you can tune your dials today, prepping employees, operations and technology for a better tomorrow.
BlackStratus has been administering advanced data and network monitoring solutions to help you get a hold of operations — and make employees more informed, aware and engaged. These solutions complement today’s cybersecurity awareness and training best practices
Reach out to BlackStratus to see what security and compliance problems we help businesses like yours solve.