Cyberattacks on SMBs continue to rise and they are more targeted and more complex than ever. Consider the following:
- 66 percent of SMBs experienced an attack in the past 12 months
- 69 percent experienced an attack that got past their intrusion detection system
- 45 percent of SMBs said that their organization’s security posture was ineffective at mitigating attacks
- 57 percent of the attacks were from phishing/social engineering
Source: 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses, Ponemon Institute
A high proportion of successful attacks – we believe it’s over 80 percent - are due to employee carelessness. Most come in through phishing emails in which a user opens an attachment or clicks on a link without thinking twice about vetting the sender. Email filtering works to some extent, but the bad guys have learned how to get around protections that organizations have put in place. For instance, some phishing emails now have the capability of waiting until human interaction is detected – a mouse click or typing – before downloading their nastiness.
Companies understand that employees are a major component of their organization’s information security challenges. In IDG’s 2019 Security Priorities Study, 44 percent of respondents said they wanted to increase security awareness and staff training, making it the second highest priority for the year.
But here’s the ugly truth: Training won’t work.
Part of the problem is the negative connotation of the term “training”. While employees need to understand the importance of using security best practices, “training” conjures up images of sitting in a stuffy conference room all day listening to boring lectures. And, like training at a gym, it’s hard to maintain good practices unless they are woven into your lifestyle.
So instead of training, change the culture of your company to incentivize employees to embrace good security habits whether in the office or working remotely. The best way to do this is to make it personal. Good physical security habits, like locking the door and installing cameras, keep people safe from physical burglaries and assaults. And, good cybersecurity habits will help keep their personal data safe, protecting them at the same time they’re protecting the integrity of your organization’s cyber security.
It’s one thing to say that a major data breach could lead to a loss of customers and revenue for the business. But, aside from the business risk, how might that affect employees directly? Maybe that loss will lead to corporate downsizing (job losses) or the lack of annual salary increases.
You can also use examples of a personal data breach to bring home the point. How much distress would an employee experience – in terms of mental anguish and possible financial damage and identity theft – if a hacker got into the corporate network and stole their Social Security number from the human resources department?
Employees should understand that this concept isn’t a stretch as most attacks do have the potential to impact employees personally. In doubt? Consider the following types of information which are often targets of cybersecurity hacks:
- Confidential business information, which includes financial data, customer data and employee data
- Privileged account information (credentials, personal passwords)
- Sensitive personal information, including personally identifiable information (PII) and protected health information (PHI)
Building good security into your culture is a matter of helping employees see these habits not as a burden but as personal protection for them as well as for the business. The process should start when you onboard new employees and then be constantly reinforced. Build good security hygiene into your processes: require multi-factor authentication, remind people to use passphrases rather than passwords, not to reuse the same ones, and to secure them in a password manager.
At least once a year, hold a security awareness refresher. But don’t call it training. Another of that term’s bad connotations is that it is the same, boring class that employees are obligated to attend each year, just so IT can check that box.
Instead, update the course with new information. Whether it’s an in-person get together or you host it remotely, make sure to liven it up. What are the latest twists in phishing and social engineering to watch out for? Use some recent examples of how a SMB experienced a crippling attack (and how that impacted its employees). Maybe bring in a local victim of identity theft to talk about their experience.
The truth is, most of us won’t go too far out of our way to protect a company, unless we own it. That’s why it’s so important for employees to understand the potential personal consequences of bad security.
Cybersecurity is everyone’s responsibility and should be a core component of your corporate culture. For more on how to improve your organization’s security posture visit us at www.btbsecurity.com.