Monique Little, Cadre Information Security
News of companies getting hacked is omnipresent. The fear, uncertainty, and doubt as a result of these reports can make you want to give up. But don’t let that dissuade you—there’s still hope and it resides in an unusual fact: more than 99% of today’s cyber attacks are human-activated.1
You might think to yourself, how is that good? Well, for one thing, human behavior can be changed. It just requires a strong Security Awareness Program.
Security Awareness is More than Phishing Campaigns
Running phishing simulations is a common security education practice, but it is only one component among many other tactics. When we boil it down, Security Awareness is teaching employees how to develop a strong security mindset both at work and at home. That could mean using townhalls, chat channels, newsletters, and informal and formal trainings to enhance cybersecurity best practice knowledge.
Security Awareness is … not holding the door open for the person behind you, even though human nature tells you it’s common courtesy. It’s learning that threat actors leave USB drives behind and hope someone will plug it into their computer to see what’s on it (it’s in our nature as humans to be curious). It’s being aware that hackers use social media to see what your title is at work so they know who to target. It’s training employees to trust, but verify. Just because she says she’s there to fix the printer and name-drops so that it sounds legit, doesn’t make it so; always verify before leading anyone into your office space. Remember, these are just a few examples of social engineering attacks, not an exhaustive list.
When Security Incidents Happen
When an attack or breach occurs, what often has the most influence on the end result is how the organization reacts—and, how they learn from the event.
Post-event, it is critical to evaluate using these questions:
-How did the targeted user react?
-How did IT react?
-What went great?
-What opportunities are there for improvement?
-Are security tools configured correctly?
-Do you have a Security Awareness Program in place? How did it prepare the affected parties?
-Do you know what to do in case of a suspected incident?
What to Do: The #1 Rule
Knowing what to do in the case of a suspected incident is paramount. Messaging to all staff needs to be clear and encourage communication and participation. Good organizational responses should emphasize positive, defensive behaviors. This is true from the CEO to the receptionist, and to the head of IT. No matter who you are, if you have the slightest suspicion that you are experiencing an attack or have been infected with malware, don’t wait to confirm. End users need to know that IT departments would prefer false alarms than be kept in the dark about potential attacks. If anything gives an end-user pause, it should be reported immediately to IT.
It is important to note that an event or an incident is not synonymous with the B-word (rhymes with reach). Anything that happens on a network—even a false positive—is categorized as an incident. That doesn’t mean that your data has been compromised. Organizations can tie themselves in knots in fear of a public relations fallout only to discover there was never anything there. Don’t allow nomenclature to dictate how you respond.
Be Sure Users Know This
Do the users in your organization know how to contact your IT department in case of a suspected incident?
Make sure that all employees know how to contact IT during business hours, after hours or on weekends/holidays. And most importantly, how to contact IT if their email or whole computer has been compromised. Users should have email addresses, desk phone numbers and cell phone numbers of the appropriate IT contacts.
Debunking the Biggest Cybersecurity Misconception
The IT and security team are solely responsible for the organization’s cybersecurity posture. That couldn’t be further from the truth. But it underpins the importance of starting, and maturing, a Security Awareness Program.
Everyone in the organization is responsible for remaining diligent to protect business, employee, and client data. However, not everyone thinks this way. End-users must be educated in the role they play, and how “good” cybersecurity behavior isn’t simply beneficial to the business, but their own personal lives.
There is no technology that can stop all social engineering attacks since they rely on exploiting human nature—you must have ingrained security awareness as your first line of defense.
Having a strong Security Awareness Program can help to minimize security incidents within your organization. If employees know what to look for, they can do their parts to help keep your organization’s data secure. If you have questions about or need assistance in building a strong Security Awareness Program within your organization, please contact us.