Barely a week goes by without news of a major cyber breach. Impacted companies are often unprepared, leaving them scrambling to secure data, communicate with customers, and repair damaged reputations. The expenses involved in cleaning up after a cyber attack can reach the millions — and that only includes hard costs. As I wrote a few weeks ago in a post about staying off the front page, loss of consumer trust carries soft costs that can only be guessed at.
Ransomware attacks are the current tool of choice among cyber criminals, reaching number one on the 2017 Verizon Data Breach Investigations Report's list of most serious cyber security threats. Malware attacks have increased worldwide by 51 percent and no size or type of company is safe. In fact, smaller businesses make more appealing targets because they invest less in prevention measures like training. More than 61 percent of all attacks were aimed at companies with 1,000 employees or fewer. Investment in training staff members to recognize and avoid risk is the most effective and affordable way to keep your company’s data safe.
Your Biggest Risk Factor: Your Staff
Though there are occasional software slip-ups that make it possible for hackers to breach company networks, this method of gaining unauthorized access is becoming more difficult. Software manufacturers, internal IT departments, virus protection, and cyber-security providers have developed sophisticated tools to detect and shut down cyber criminals before they cause any damage.
Faced with security measures that are nearly insurmountable, hackers have changed their strategy. Instead of gaining access to business information through a network breach, they are targeting the individuals that use the system: your staff. These criminals have developed a series of effective tricks and cons to persuade your staff to release sensitive information. The primary objective is to steal passwords that permit system access, which accounts for approximately 80 percent of attacks. However, there is plenty of additional information that interests bad actors. Remember — any type of data has value to someone.
Tricks of the Cyber Criminal Trade
While most attacks are aimed at gaining access to financial details that can be turned into cash, there is a market for stolen company secrets. Product prototypes and cutting-edge research accounted for more than 300 of the system breaches analyzed in the Verizon report. The ease with which cyber criminals fool employees into releasing information often surprises senior leaders, but it is quite common. Fortunately, it is possible to train employees to be on guard against the standard tactics.
Hackers have developed methods of approaching employees by phone or through email, pretending to be colleagues employed in other parts of the business or friendly partners seeking assistance. For example, they may pose as members of the HR staff who urgently need employee data, or they may claim to be from the IT department, conducting tests. These maneuvers, known as "social engineering" or “phishing,” are somewhat easy to educate against through simple training modules. Once staff members know how to recognize phishing attempts — and what to do if they are targeted — your organization is one step further from a breach.
"No matter how gifted, your users will always be your weakest link when it comes to information security. That doesn’t mean you can’t limit this risk through regularly educating your users on cyber security best practices. This training should include how to recognize a phishing email, how to create strong passwords, avoiding dangerous applications, taking information out of the company, and any other relevant user security risks" (Observe IT)
Remember, the company is only protected when all staff members have completed the training, which requires a comprehensive learning management system. Using Litmos, for example, you can build IT security courses or purchase the latest pre-built content on the subject, assign the appropriate courses to learners, and accurately track the results, so you know that everyone successfully completed the training.
Also, you need to stay consistent on delivering this type of security training. For some companies quarterly is fine, but depending on your business, you may need to train on security more often. Those in financial services and healthcare, for example, not only face fierce opponents in the cyber-criminal world, who tend to change tactics regularly, they also have heftier regulations and compliance rules that need to be met to uphold security standards.
Beyond industry, IT security training shouldn't be one-size-fits all within your organization either. People handle different systems and data, and have different levels of access to information. As Roota Almeida, Head of Information Security, Delta Dental of NJ, said in an interview with Forbes: "The [security] training is customized by how data is handled, the type of data that is handled, and the regulations associated with it. We educate our users on how to protect the data from an information security perspective, as well as from a compliance perspective of data handling procedures, data retention and retrieval procedures."