If not even our leaders are safe, then who is?
2019 was one of the worst years on record for attacks and breaches. Over the course of 2019 there was a massive 54% increase in data breaches – many with dire consequences.
What you read in the press is the tip of the iceberg when it comes to the fates of global players such as Verizon, Capital One, British Airways and many others, with the implications of many attacks still yet to be seen.
Predictably IT companies continue to innovate to provide the best in class infrastructure solutions: And yet the attackers continue to prevail and profit while businesses are crippled or heavily fined or both.
In 2020, the outbreak of the COVID-19 ripped up any virtual defences organisations had put in place, by forcing employees to work from improvised home offices, with devices that were neither up to date, nor secure. Businesses had to rely on the common sense of their employees to keep their systems safe, leaving them exposed to cyber criminals and targeted attacks.
It wasn’t much later that the World Health Organization reported a fivefold increase in cyber-attacks compared to the previous year. Fast forward to July, and the news of a Twitter hack that targeted the accounts of US leaders Joe Biden and Barack Obama is being reported everywhere, leaving the public with one big question.
If not even our leaders are safe, then who is? Although cyber-attacks and Twitter hacks aren’t new phenomena, this particular incident has opened up a public discussion about cybersecurity and what organisations and individuals can do to prevent them from happening, even with limited resources and a remote workforce.
Using technology to counter the problem, while necessary, is only one part of the whole solution. Passing the responsibility to the IT function for your company’s defences to these criminals is misguided at best. Enterprises are now discovering the technology piece only goes so far. It is just one piece of the armoury.
The fact is that 90% of all breaches are caused by human error – a massive statistic when you consider that even the most technically robust of networks can be undone by one simple absent-minded click on a phishing email. Unfortunately, the best technical solutions in the world cannot secure your IT infrastructure alone. Your IT department will be the first to agree that their day-to-day challenge is dealing with users who undo all their good work! Just as it takes an army to be trained to use the weapons, they are given so it is that your people should be trained to defend your company’s systems. The only way to effectively ensure that your defences are not breached is to train your foot soldiers how to use their technical arsenal.
The type of vulnerabilities that are being exploited by criminals are varied and difficult to address internally without expertise: A natural step to address these vulnerabilities is cybersecurity awareness training. Many organisations that do implement cybersecurity training programs often just train the technical staff – missing the real source of the problem – the employee at the frontline. The fact is that every computer, every communications device, is an open door to a criminal and at the moment untrained employees are not only opening the door - they are propping it open and inviting them in.
For other companies, training their staff comes after they have been attacked and the source of the breach is revealed. The organisations that really do understand that these attacks are never going to go away and plan long term protective measures are the ones that build a real cyber awareness culture recognising that cybersecurity is a real business issue.
The practice of doing this is actually relatively simple and resource and cost effective. There is a lot to be gained from a staged approach:
Stage 1. Assigning responsibility and authority. The most important thing to consider is that cybersecurity shouldn’t be put in the hands of a single department. It should be seen as a company-wide initiative and given the recognition of importance that it deserves. Select a department, individual or team that has connections across the organisation and give them the authority to implement team training and awareness and incentivise people to buy into the initiative.
Stage 2. Assess buy-in. Keep tabs on the progress and ensure that everyone in the organisation has a cybersecurity mindset. For example, check that your finance people have checked your cybersecurity cover in your insurance policy. Your company might even save on the premiums by demonstrating your preventative measures. Equally your HR department should update your social media and use of email guidelines and they should build the training into the development plans of your employees.
Stage 3. Attack your own defences: Start running real time cyber-attack simulations across your network. This will show your greatest areas of weakness and give your IT people solid signposts on technical vulnerabilities and also give you priorities for staff training.
Stage 4. Train: Implement training and ensure that it is done across the organisation both horizontally and vertically. If you are a global organisation look for training that comes in native languages - avoid machine translations. Your C-suite should be trained in the same way the most junior person is trained. Cyber criminals don’t care who they target so everyone who is on your network is a potential target.
Stage 5. Communicate, reward, motivate. Make sure that you talk about what you are doing. Share success and tell employees about how you are keeping them and the company safe. What they learn at work they can benefit from at home. Reward people who are cyber heroes. This will in turn motivate others and keeping cybersecurity on the agenda will make sure that, as employees come and go, your culture will remain.
Stage 6. Review and measure. It is good to have clear KPIs when you start. Make sure you keep reports on where your weakest points are in your organisation – it may be a department where you get a lot of temporary workers – and put together measures to eradicate those weaknesses.
These steps give you the foundations to building a great cybersecurity culture within your organisation. The key is to run them on loop. Keeping your people up to date and trained makes them your most valuable custodians of your company’s network.
Technical solutions can be massively costly and that can often swallow a lot of the budget (and attention) when it comes to cybersecurity. However, implementing a program like this can be surprisingly cost effective and ultimately invaluable.
The human touch works both ways: it can bring you down or it can be the best defence. It’s your decision.
Stephen Burke is CEO and founder of Cyber Risk Aware, a company that specialises in real-time cybersecurity awareness training