Sure, yoga teaches the flexibility that is key to adapting to your surroundings. But in practicing daily self-awareness, the saying “A team is only as good as its weakest player” is rarely truer than in the world of cybersecurity. How does your team stack up?
Target knows. Sony knows. Ashley Madison definitely knows. That’s the bad thing – an organization may only realize how strong — or weak — their cybersecurity position is once there is a successful cyberattack. The nature of the attack doesn’t matter, nor does the overall effect. The damage is done, and the organization goes into clean-up mode. In the days immediately following, the phrase heard most is “How did this happen” when the real question should be “How can we prevent this from happening again”?
Subtlety isn’t the goal of a hacker, nor is it their strongest attribute. The modus operandi of any hacker is singular: find a cybersecurity vulnerability and exploit to their advantage. The rest doesn’t matter. You likely disagree, but we think you’ll realize this is exactly the case. After all, we want to help you beef up your security and prevent a vulnerability rather than shift into defensive mode upon clean-up from an attack. The latter is going to shift your focus for up to a year of reactivity, while a little extra focus now will prolong your proactive position. An ounce of prevention is worth a pound of cure, especially in this type of situation.
At the most basic level, your organization’s cybersecurity is based on your team’s awareness level – which can easily be assessed and addressed in training. Data breaches caused by hackers are one thing, but the simplest way for a hacker to gain access is by finding a weak link – a human operator – and using sneaky tricks to exploit weakness from that angle. A hacker can use pretty low-tech approaches in this way, like phishing.
Does your cybersecurity awareness training still include exercises and tips on old-fashioned tricks like phishing? It’s amazing the simple tactics some of these hackers will resort to – but the reason is that these tricks still work on us. A 2017 study by Google reported that phishing was still one of the most effective tactics used for hacking a user account.
- Phishing is the practice of sending emails pretending to be from a reputable company, like Google or Apple, to get recipients to reveal personal information like passwords to the sender.
Perhaps it’s because we don’t see ourselves as targets anymore, thinking hackers only target the “big fish” for the bigger reward – a unique tactic called “whaling” – but the reality is that everyone is a target There are no exceptions. Any computer user can be an access point for a cyberattacker because any computer can serve a greater purpose for a cybercriminal.
- Why does phishing still work? Because we let it. We start to shift our focus to the newer or more sophisticated methods hackers use, and we don’t maintain vigilance on the basic approaches in cybersecurity awareness training.
One click is sometimes all it takes to turn a user into a victim – and for a hacker to wreak havoc on a network. One click can lead to a malware installation, identity theft, or worse, ransomware. That click could cost an organization into the millions of dollars.
- Ransomware is like a virus, where a hacker accesses a computer or network and places a file or code that blocks user access, and requires the user to pay money – a ransom – to the cyberattacker to regain access to the computer or network.
Remember when we said all it takes is one click? It’s true. In 2017, hackers sent emails to staff at Chipotle and managed to trick someone into one click, compromising the point-of-sale (POS) machines at locations that enabled the hackers to gain access to the credit card data of millions of customers. The worst part is that even end users who are in the tech industry have been tricked; Google and Facebook have both been affected to the tune of $100 million each because of successful phishing attempts.
- Did you know that some companies hire former (“rehabilitated”) cybercriminals as cybersecurity specialists – true experts – to help mold technology teams in charge of cybersecurity and oversee cybersecurity awareness training programs? These are probably among the most solid and effective programs in existence!
One way organizations have used to test the awareness of their team is by executing an internal phishing campaign. This is a campaign where the company has total control of the phishing attempt but tests the staff to see where the weaknesses are. The results only help improve overall training and cybersecurity.
This approach is wildly successful in getting an accurate picture of your team’s awareness. Who fails the test? How far will some employees allow a hacker to get before realizing they are being phished? Where does your training lack focus that the attempt was successful?
A few things to keep in mind with this approach:
- While internal phishing campaigns are helpful, don’t shift your training focus to only weaknesses discovered in this process.
- Be careful not to call out any one particular team member or access point; the goal isn’t to embarrass team members but to improve your team’s awareness overall.
- Don’t aim for only those team members you consider to be the weakest when it comes to cybersecurity knowledge; you’d be surprised at where an organization may discover vulnerabilities
- On this note, it’s helpful to provide one-on-one level training catering to these team members, but you can still do so as a company by offering exercises aimed at specific weaknesses without placing blame.
- Keep the phishing exercise as realistic as possible, so the teachable moments that result are valid and credible
When your exercises and training give you enough insight to update your training, keep the training outline simple with a few target areas that are comprehensive enough to be thorough but straightforward enough to be digestible:
- Form a baseline for where your team is currently, regarding cybersecurity awareness.
- Devise goals for where your team should be, and target dates to achieve these goals.
- Outline a plan to meet these deadlines.
- Develop a maintenance process for ongoing support.
Organizations can also take steps to protect themselves internally, too. Limit access to all computer equipment to authorized personnel only, install up-to-date antivirus software at each workstation and update all programs on a regular basis – especially security updates. Having a contingency plan in place for any vulnerabilities might seem like overkill, but it never hurts to be prepared.
Self-awareness is just the first step in achieving the ultimate level of cybersecurity protection – don’t wait until an attack happens before you start defending yourself and your organization!