2016’s biggest cyber security threat? You!
- 17 June, 2016 09:52
Cybersecurity is not the new buzzword. With attacks getting more frequent and advanced by the day, it should be on top of every business’s list. Nowadays, you can have excellent IT security and still run the risk that your information ends up for grabs.
Why? Because the biggest threat you face is coming from inside your own organisation: your employees’ thoughtless, yet often unintentional, acts.
According to IBM’s Cyber Security Intelligence Index, no less than 95 per cent of all security incidents are triggered by human error. But how do you prevent employees from getting tricked by digital scams?
Although the idea of a group of criminal hackers working out of an abandoned nuclear bunker in Russia makes hacking sound dark, mysterious and pretty cool (let’s be honest), it’s usually just Mark from Sales’ fault for downloading a bank statement emailed to him by a bank that the company doesn’t even have an account with.
Innocent mistakes like these, however, can have dramatic and costly consequences. Back in August 2015, for example, a spear phishing attack on the Pentagon compromised about 4.000 military and civilian personnel’s information, just because one of its staff members decided to click on a dubious email link.
The following fact might be even more shocking. A while ago, Verizon reported that sending emails to just 10 employees will get hackers inside a corporation’s system 90 (!) percent of the time. But how exactly do you prevent employees from getting tricked by digital scams?
Repetition is (the) key
Education and awareness will go a long way in protecting your business against many types of cybercrime. But creating a risk-conscious workplace is easier said than done. Of course, the first step in making your staff aware of possible threats is training. But how much of this training do you remember months or even years later?
In order to keep your employees on their toes, you need to remind them on a regular basis which threats are out there, how to recognise them and which actions to take in case they come across something suspicious.
But how do you do that? Plan a million more training sessions – keeping everyone from their work, including yourself? That doesn’t seem very manageable, nor practical.
How we successfully fought digital crime with digital tools
Here at the office, we struggled with the same issue. Initial training….check! But then what? During a meeting we asked ourselves the following question: “How do we constantly educate employees about identifying suspicious activity and new possible risks, without sacrificing productivity?”
We cannot make them get up from their desks every single time for a quick training course. And with the amount of emails their inboxes get flooded with every single day, they are A) not going to read an email or B) not even going to notice it.
We finally agreed that we had to try to reach them when they did have a minute to pay attention to what we were trying to communicate. That’s when we started using every available screen in the building to display prevention messages.
Messages about opening suspicious emails, giving out confidential information or making dodgy payments, were now broadcasted repetitively throughout the office.
Walking to the coffee corner, people got a reminder through one of our digital signage screens next to the coffee maker. When they didn’t touch their PC for a while and their screensaver popped up on their computer screen, boom another reminder. Browsing through our corporate app during lunch, yes you guessed it, a reminder.
With this combo of digital tools, there was really no escape. There was practically no way that someone couldn’t have seen these messages.
We conveniently scheduled them to appear at set intervals, so we didn’t have to worry about them any further. When we spotted a new threat, we added a message about it – and that was basically it.
Besides that, it also gave us a great alternative if something should slip through the net. Because when you’re email is hacked, you’re not going to send an email to warn people, right?
No more careless clicks
That our approach was working, became apparent. Sure, those pesky hackers still try. We still get dozens of phishing emails in our inboxes, but the difference is that nobody is clicking on them.
Is this the end? Probably not. Cybercrime is only going to evolve more over the next few years and people are going to continue to make mistakes, that’s life.
But I sleep a little better at night, knowing that we have limited potential threats to a minimum, and that staff members are aware of the (new) threats they face and the part they are expected to play in guarding against them.
Frits Vos is CIO at Netpresenter.