Cybersecurity is a hot topic that is being discussed in all areas of business today. From the front-line employees to the board of directors, everyone has something to say and questions to ask. They are talking and asking questions about things like;
Phishing "I received an e-mail the other day that said something about a lost FedEx package. I haven't ordered anything in a while, so I found it to be kind of weird. I clicked the link and entered the requested information to see details about it, but nothing happened.”
Ransomware "Did you hear about how long the city of Baltimore has been down because of a Ransomware attack?"
The latest breach they heard about the news "Can you believe there was another breach of social security numbers and addresses? We should be able to trust these big companies to protect our information."
Protection “Is there anything else we should be doing to protect ourselves and the company?”
For most, trying to understand cybersecurity can be overwhelming and complex. You aren’t sure where to start and you don’t understand what you should be doing or why you should be doing it. There are a lot of people that think;
"I have an anti-virus program; I have all the protection I need."
"We don't have the secret recipe for KFC, so no one would try to attack us."
" We are a small company, hackers only go after the big ones."
These types of thought process couldn't be more wrong. You see, attackers go after the weakest links. They don't care if you are a one-person operation or a Fortune 100 organization. Think of them like a burglar looking for a house to rob. This criminal will go house to house trying doors until they find one unlocked and then walk right in.
Sure, there are those nation states or one-off hackers that perform targeted attacks. These attacks have a specific intent to do harm or gather intelligence. In general, it is the wide nets that attackers cast all day, every day that everyone needs to be more aware of. These include things like; Phishing, Ransomware, unprotected Mobile devices and social engineering.
Every business has a duty to protect their assets including the data they control.
This is not only their critical data but also the data of their clients, customers, and employees. To fulfill this duty, all businesses should have a cybersecurity program. An effective program takes a layered approach to apply the necessary level of protection. These layers encompass areas such as;
Protecting the internal computing environment (applying patches, running anti-malware, secure device configuration)
Protecting the external computing environment areas (e.g. the cloud, perimeter, points of data flow)
Securing the data flow paths to ensure only authorized data is transmitted.
Running security assessments (vulnerability assessments, penetration tests)
A breach, Ransomware attack, or a targeted denial of service attack are examples of threats that can be detrimental to a business. There have been many cases of companies going out of business because they weren't protected or didn't take corrective action. The fear of an attack causes great concern among business owners and leaders. It often results in overspending in areas that have little impact. This is because the layers of a cybersecurity program can be complex to build and manage. Implementing and managing these layers takes dedicated expertise to ensure;
They are creating an effective design
They are completing the right tasks
They are performing effective monitoring
They are taking the right actions should an incident occur.
There is one layer of a cybersecurity program that can have a powerful effect and yet it is often overlooked.
This layer can be simple to get started and will have a significant impact. Not to mention it is one of the smallest costs in your cybersecurity budget. It is a CYBERSECURITY AWARENESS program.
The goal of cybersecurity awareness is to provide continuous education to employees about good security behaviors they need to develop. These good behaviors include;
Recognizing and reporting potential threats
Using passphrases instead of passwords
Keeping a clean desk
Not allowing tailgating
Timely reporting of lost or stolen devices
And many more
This is not the in-depth technical cybersecurity training that you may be required to complete once a year to fill a compliance check box. This is ongoing education through flyers, posters, e-mail campaigns, and lunch and learns. This is going to help your employees learn ways to do things by thinking safely and securely first. A few KPIs to gauge the success of your cybersecurity awareness program are;
Decrease in phishing click rates
Increase of reported threats by employees
Decrease in number of incidents
Decrease in inadvertent data loss (e.g. sending an email with confidential data to the wrong person)
If you aren’t sold yet on the effectiveness of cybersecurity awareness, let me give you an example of why a hardened perimeter by itself is not effective;
Let's say you want to protect your family and your home. You go out and get the best home security system money can buy. This system is complete with the best cameras, sensors, and monitoring around the clock. Everything is great until one evening while visiting your house, your bone head brother opens the front door and unknowingly invites a bad guy in. The bad guy robs everyone and leaves with all their valuable possessions.
You see, all the money spent on the high-end security system meant nothing because someone you trusted opened the door and let the bad guy in. This type of inadvertent incident is the kind of behavior we must change. As humans we make mistakes, it happens. Yet, with proper education, we can reduce those mistakes to ensure we have a more safe and secure computing environment for everyone.
If you enjoyed this post, please share it. Also, be sure to follow us on social media to stay up to date on all the latest news and offerings.