Cybersecurity: Employees Are Your First Defense

Data breaches can mean disaster for both employees and the organization. They can cause financial loss, safety issues, negative publicity, lost productivity and compromised personal and organizational data. In 2017, the Ponemon Institute studied related costs and found that 24% of breaches resulted from employee errors.

Training and development programs for your employees can help reduce cyber risks. Leadership must be diligent in creating a culture of awareness by teaching employees how to detect the latest attack techniques and emphasizing the importance of reporting suspicious activity.

The Evolution of Cyber Attacks

As attack techniques become public, hackers change their approach. Organizations’ training programs have to change to keep up. Recent attacks look more sophisticated; many are individually tailored to obtain sensitive information and access internal systems. For example, attackers use social engineering (for example, calling the receptionist to ask for names and titles) to offer partially correct information and persuade the target to share real information. By creating a false sense of connection to an individual or the organization, an attacker can circumvent technical security controls. For example, an email to an executive’s assistant might claim that an executive leader asked for credit card numbers or purchases of gift cards.

Protecting Your Organization

The United States Computer Emergency Readiness Team (US-CERT) provided detailed advice on how to avoid becoming a victim of social engineering:

• Maintain vigilance and skepticism about inbound communications (phone calls, visits and emails)
• Verify identities and don’t hesitate to call IT security or get a second opinion
• Only share internal information with confirmed and authorized individuals
• Tag external emails to denote when addresses should be double-checked
• Be suspicious of emailed attachments, links or forms
• Use alternative channels to verify information

From an organizational perspective, when is the last time you revisited your cyber security training programs? What types of techniques and topics are addressed in those trainings? What are the metrics you use to monitor the effectiveness of your protections? How do you communicate the latest cyber threats?

Your organization’s IT administrators should carefully select topics to include in the training program. Important areas to cover include detecting spoofed/falsified senders, overly urgent messages, and external communications that include attachments, links or form fields.

Your senior organization leaders are likely to be prime targets for cyber-attacks. They can set an example and raise urgency by sharing their experiences with associates and staff. They can ask employees, “Have you ever received an email — purportedly from an executive leader — requesting information, soliciting financial transactions or asking for organizational details?”

The simple act of an executive leader telling employees that he/she will never request financial or sensitive information through email can be an effective way to help avoid future breaches. Every employee must take responsibility for protecting the organization. Creating awareness outside the IT department may be critical to preventing a future breach and keeping the organization secure.

 

Authored by Brett Nabors. For questions about IT advisory services, please contact us.