According to a 2017 study by the Ponemon Institute, the average organizational cost of a data breach is $3.6 million globally. An astounding 47 percent of this is due to either a malicious or criminal attack. Findings that were published after the 2017 Verizon Data Breach Investigation Report indicated that 66 percent of all malware installed were due to unsuspecting email users opening malicious attachments, with 81 percent of all data breaches is due to stolen or weak passwords.
Figures like these are enough to make companies sit up and take notice. Often in a knee-jerk reaction, they batten down the hatches. Employees are required to attend compulsory cybersecurity training, using off-the-shelf training packages. These tend to be dry, outdated, jargon-filled and even condescending. Add to the mix unwilling employees who see the training as a tick in the box exercise, and we have a lesson in futility.
It may be true that employees themselves are the weakest link in corporate cybersecurity. This is why simple employee security training and education is so crucial in the current climate.
One-size Cybersecurity Training Does Not Fit All
It is crucial to understand that cybersecurity training needs to be tailor-made. Employees often just want to know exactly what they need to do in their day to day work to avoid a data breach, or in their own words, to avoid getting into any trouble. If an employee’s everyday job is to process payments, it is likely that they will be caught off guard and open an attachment marked ‘Invoice’ at one point or another.
The people that “craft” these attacks work tirelessly to create the perfect hook. Phishing techniques are also getting more sophisticated; the newest being whaling phishing where they target higher ranking management. These emails will look like critical business emails such as complaints, managerial matters, or legal documents. All it takes is just one person to open an attachment. Even with the most vigilant and sophisticated spam filter, one or two may still get through.
Keep your training simple and to the point. By arming your employees with skills to recognize suspect emails and report these, the fallout of the breach can be contained and your employees can become your first line of defense against these cyber-attacks rather than the initial point of weakness.
Keep Security Rules Simple
In an attempt to make their IT system “un-hackable,” companies tend to overcomplicate things. This includes making passwords difficult – employers are told to select unique passwords with a jumble of characters or to have a string of a random set of three words as a passphrase and to change them often. However, these measures tend to be counter-productive. A safer option is for organizations to apply two-factor authentication where a code or one-time pin is keyed in. Alternatively, thumbprint recognition technology could also be considered.
A Culture of Collaboration and Trust
Both employees and the IT department need to remember that they are on the same team. An increased understanding between departments will pay dividends in preventing expensive data breaches.
An example of how the departments can work collaboratively is when employees need to use convenient apps that may have been restricted due to security concerns. In order to do their job, employees might take shortcuts or use less-reliable and alternative means. A better option is for the IT department to set up a corporate account with added security and educate users on the safe way to use the accounts.
Do you have questions about how to keep your business and employees safe from a cyberattack? Contact us today!