I suppose the fake rock is better than nothing. Definitely better than under the welcome mat or the flower pot.
Unfortunately, too many business owners have applied the same philosophy to their company cybersecurity—sprinkling more than one of these fake rock key holders all over the front lawn. The worst part, many don’t even realize they’re doing it—unwittingly opening a gaping hole in their company defenses.
And like so many other things, the pandemic has thrown these vulnerabilities in sharp relief this year. As employees spend more time working from home and business leaders struggle to adapt to ever-changing rules, cybersecurity threats are quietly bubbling to the surface.
We know cybersecurity breaches always enter through one of two main doors: your technology and your people. But with so much to wrap your arms around, where do you even start?
Fortify your people power
Your people are the real wild cards here, as your cybersecurity programs and technology can only do so much. In the end, they’re really only as strong as your weakest link—and that weak link often comes from humans.
This year, phishing attempts have been as malicious as ever, with cybercriminals preying on our pandemic fears and uncertainty, using COVID-related schemes to entice employees into unknowingly handing over the keys. Bob Bruns explains what’s at stake in Forbes:
“What’s the No. 1 risk to businesses today? My answer is always the same: people and their behaviors … These attacks focus on exploiting vulnerabilities in human behavior that might turn your employees into unwitting co-conspirators in an attack … This door will likely always have to be fortified with ongoing training and education.”
The shift to working from home means many employees are using personal devices for business, connecting through less-than-secure means, moving files to the cloud, and working without a good awareness of cybersecurity vulnerabilities (and no clear way to report them if they were to spot them).
This is why the ongoing training Bruns mentions is so important. This kind of education will protect your organization from downtime, reputational risk and financial loss—while giving your employees peace of mind they’re working in a safe manner as they log in from home.
Don’t let phishing get any nibbles
Phishing is not a new phenomenon, but the practice has grown incredibly sophisticated and effective: Infosecurity Magazine reports the practice is the most common attack route, making up nearly 95% of all successful cyberattacks. And while we’d like to think we’d all be able to spot these fakes, we know that’s not the case. After all, if an employee hasn’t been trained to know what to look for, then you’re vulnerable. Ax Sharma elaborates in CIO:
“A hands-on program training employees to be able to distinguish legitimate emails and phone calls from suspicious ones, such as a call from the ‘CEO’ asking for a highly sensitive payroll spreadsheet of all employees, can better equip employees to handle unexpected situations and requests to which they may otherwise fall prey out of hesitation.”
With an estimated 15 to 20% of employees prone to open those fake emails and take some kind of action with them, this type of training is not only crucial but likely well overdue. Once employees are trained, the next step is teaching them how to report a suspected threat. By notifying the team, any additional copies can be pulled from other employees’ inboxes hopefully before they even have a chance of being opened.
The great news is that effective – and repeatable – training can make a measurable impact on your risk—reducing the number of employees falling victim to these schemes to just 2 to 5%. Simply put, the more you close that gap, the less likely your company will be at risk.
Reduce your risk by knowing your risk
Of course, this particular year has many business leaders feeling discombobulated and stretched a little thin. When we ask executives where they stand on cyber readiness, their answers are all over the board. And implementing any kind of IT process or system change is historically a cumbersome process. All that must change, says Frank Cutitta, CEO and Founder of HealthTech Decisions Lab:
“Agility and resilience baked into the culture of IT suite will be the antidote for whiplash. IT organizations saddled with the age-old departmental stereotype of ‘the land of slow and no’ will quickly become marginalized and irrelevant. The ultimate challenge will be the ability to embed outside-in thinking into the fabric of IT organizations.”
Start with a simple risk assessment. This peek under the hood will allows you to uncover and prioritize the vulnerabilities in your system, applications and network infrastructure—so you can react appropriately. A comprehensive assessment – coupled with a security management framework – can help your company improve the security of your systems.
The assessment should not only look at your policies, but also at the phishing campaigns hitting your system (including who opened it). This will allow you to better assess your risk, develop customized programs, and provide reinforcement training.
And that reinforcement is key: These types of risk assessments are only valid for so long. Remember that cyberthreats are constantly evolving, so I recommend redoing the assessment every six months at least. If you’re waiting longer than that, you’re just throwing caution to the wind.
Because, let’s face it, that plastic rock will only fool people for so long.
John Dickerson is an infrastructure architect and security subject matter expert at Veracity Consulting, a tech consulting team of trusted advisors, ready to deliver unique solutions to the toughest business challenges of commercial and federal clients across the U.S. Learn more at VeracityIT.com, and share your thoughts on Facebook or Twitter @engageveracity.