Sure, yoga teaches the flexibility that is key to adapting to your surroundings. But in practicing daily self-awareness, the saying “A team is only as good as its weakest player” is rarely truer than in the world of cybersecurity. How does your team stack up?
Target knows. Sony knows. Ashley Madison definitely knows. That’s the bad thing – an organization may only realize how strong — or weak — their cybersecurity position is once there is a successful cyberattack. The nature of the attack doesn’t matter, nor does the overall effect. The damage is done, and the organization goes into clean-up mode. In the days immediately following, the phrase heard most is “How did this happen” when the real question should be “How can we prevent this from happening again”?
Subtlety isn’t the goal of a hacker, nor is it their strongest attribute. The modus operandi of any hacker is singular: find a cybersecurity vulnerability and exploit to their advantage. The rest doesn’t matter. You likely disagree, but we think you’ll realize this is exactly the case. After all, we want to help you beef up your security and prevent a vulnerability rather than shift into defensive mode upon clean-up from an attack. The latter is going to shift your focus for up to a year of reactivity, while a little extra focus now will prolong your proactive position. An ounce of prevention is worth a pound of cure, especially in this type of situation.
At the most basic level, your organization’s cybersecurity is based on your team’s awareness level – which can easily be assessed and addressed in training. Data breaches caused by hackers are one thing, but the simplest way for a hacker to gain access is by finding a weak link – a human operator – and using sneaky tricks to exploit weakness from that angle. A hacker can use pretty low-tech approaches in this way, like phishing.
Does your cybersecurity awareness training still include exercises and tips on old-fashioned tricks like phishing? It’s amazing the simple tactics some of these hackers will resort to – but the reason is that these tricks still work on us. A 2017 study by Google reported that phishing was still one of the most effective tactics used for hacking a user account.
Perhaps it’s because we don’t see ourselves as targets anymore, thinking hackers only target the “big fish” for the bigger reward – a unique tactic called “whaling” – but the reality is that everyone is a target There are no exceptions. Any computer user can be an access point for a cyberattacker because any computer can serve a greater purpose for a cybercriminal.
One click is sometimes all it takes to turn a user into a victim – and for a hacker to wreak havoc on a network. One click can lead to a malware installation, identity theft, or worse, ransomware. That click could cost an organization into the millions of dollars.
Remember when we said all it takes is one click? It’s true. In 2017, hackers sent emails to staff at Chipotle and managed to trick someone into one click, compromising the point-of-sale (POS) machines at locations that enabled the hackers to gain access to the credit card data of millions of customers. The worst part is that even end users who are in the tech industry have been tricked; Google and Facebook have both been affected to the tune of $100 million each because of successful phishing attempts.
One way organizations have used to test the awareness of their team is by executing an internal phishing campaign. This is a campaign where the company has total control of the phishing attempt but tests the staff to see where the weaknesses are. The results only help improve overall training and cybersecurity.
This approach is wildly successful in getting an accurate picture of your team’s awareness. Who fails the test? How far will some employees allow a hacker to get before realizing they are being phished? Where does your training lack focus that the attempt was successful?
A few things to keep in mind with this approach:
When your exercises and training give you enough insight to update your training, keep the training outline simple with a few target areas that are comprehensive enough to be thorough but straightforward enough to be digestible:
Organizations can also take steps to protect themselves internally, too. Limit access to all computer equipment to authorized personnel only, install up-to-date antivirus software at each workstation and update all programs on a regular basis – especially security updates. Having a contingency plan in place for any vulnerabilities might seem like overkill, but it never hurts to be prepared.
Self-awareness is just the first step in achieving the ultimate level of cybersecurity protection – don’t wait until an attack happens before you start defending yourself and your organization!