People: Problem or Solution for Cyber Threats?
According to the recent “Ponemon 2017 Cost of Data Breach Study,” 24% of data breaches were caused by human error, 24% were caused by external attacks and the remaining 52% were from system glitches. Now while that 24% from human error statistic might seem moderately concerning against a full 100% of the scope, the sub segments of that 24% of human error stat include lack of awareness, ignoring security policy and disgruntled employees, which are no less important.
Some of the largest and most damaging data breaches over the past 18 months were caused by an employee innocently clicking on a link or attempting a file download from a malicious email (think Target, Sony Pictures and Google Docs, to name a few). This is a hacker tactic referred to as “spear phishing” in which the cybercriminal goes to great lengths to create an email design to mimic a business or organization familiar to the recipient (e.g., banks, retail outlets, schools, associations, etc.). You have probably seen an email subject line or two from a bank that you are not even a customer of stating that “your account has been locked,” or “there is a security update available; please click here to protect your account.” Well, guess what happens if you “click here”?
Social engineering is another form of malicious activity seeking out an exploit opportunity from unaware victims. Social engineering can comprise physical tactics such as someone looking over your shoulder while you log into an online or company network account, or digging through your trash in your absence, or even rifling through your desk looking for passwords that you may have written down. More typically and really evasive is when a hacker creates a fake Facebook or other social media page and it magically contains people you know, your special interest groups, and whatever other information they may have scraped from your legitimate social media page.
Worse yet, I have talked with “ethical hackers” from cybersecurity firms who tell me that many times when bad guys want to go after a large target, they actually start by breaching the mobile devices of the young teens of parents who work for the target organization. They know that these devices are the most vulnerable, and they can then access the adults’ devices and eventually go through the adults into the target organization.
So as the title here suggests, when it comes to threat mitigation against cybercrimes, employees can either be your weakest link or your best defense. But they don’t know what they don’t know. There has never been a time in our recent history when education and training on cyber awareness is more crucially needed. The Department of Homeland Security (DHS) vehemently says that security is everyone’s responsibility.
Even though your parent organization may be responsible for maintaining an effective security posture for the entire domain, as a manager you can do your part too:
- Distribute articles on the topic to workers.
- Educate employees and encourage a “Do Not Click” policy for internal and personal email.
- Go directly to the original manufacturer’s website for downloads.
- Implement an old school policy of directing users to pick up a phone and call the sender to verify they sent the link or the file to download.
Go to your administration and ask for training from the IT or Information Security staff for your people. If they are not able or willing, ask for budget to contract a third party cybersecurity firm to bring periodic workshop and training sessions to you. Maybe even get other departments to chip in and help fund the training.
Get creative and be proactive — but be persistent because all it takes is one click to bring catastrophic results to the whole organization.
Oh yeah, did I mention that the average cost of a data breach in the U.S. alone in 2017 was $7.35 million? As an example, there was a case in 2016 of a large health services company where a HIPAA violation resulted from the hacking of the organization’s pager system. The total cost to them was $6.9 million, and just the postage cost alone in customer notifications was more than $125,000.
Staying secure can come at a cost and sometimes at the price of inconvenience for taking the extra steps to be safe, but consider the consequences of maintaining the status quo. Cybersecurity experts typically say, “pay now or pay later, but later is always much more expensive.”
The bottom line: if you want to continue to demonstrate real value to your administration, show them that you are being mindful and proactive about contributing to the greater good of your organization by following the DHS lead and doing your part to keep your staff and the parent organization safe from cybercrimes
Aaron Hale is a senior advisor for Canon Solutions America’s Enterprise Services & Solutions division. With 20+ years’ experience in the corporate enterprise, SMB and graphic communications industries, his passion is to help leaders make strategic business decisions in their go-to-market and operational directions and then move them into actionable programs. Whether providing investment consulting for business process automation solutions or developing tools and resources for graphic services providers to deliver improved electronic and print communications, it’s watching them succeed that motivates him.