Quick question: What do Home Depot, Sony Pictures and the Pentagon have in common? No, they’re not collaborating on a contractor-turned-spy espionage feature (although we’d pay money to see that).
Give up? They’ve all been the victim of major hacks that exposed confidential data and cost thousands of dollars. That may not seem all that remarkable—after all, breaches happen all the time. However, what is incredible is that all three attacks had the same perpetrator: unwitting network users.
In the Home Depot breach, hackers stole credentials from a third-party vendor and used them to break into the network and install malware onto self-checkout systems, stealing 56 million customer credit card numbers. The Sony hack involved a link in an Apple verification email that didn’t lead to Apple at all, but to a bogus phishing site that collected usernames and passwords. From there, all hackers had to do was hope someone had used their Apple ID as their network login—and guess what? They had.
What about the Pentagon? Surely federal government employees are too sophisticated to fall for rudimentary email scams, right? Sadly, no. In 2015, Russian hackers launched a spear-phishing attack against the Joint Chiefs of Staff and gained entry to the Pentagon email system. They made off with an “automated system that rapidly gathered massive amounts of data and within a minute distributed all the information to thousands of accounts on the internet.” Troubling, to say the least.
What’s more, events like these are not all that uncommon. In fact, some 90% of cyberattacks occur because an unwitting user willingly gives up their credentials. This statistic and others like it illustrate just how dangerous employees and vendors can be when they mishandle network credentials. But there is hope: Cybersecurity training is the third most effective way to mitigate the cost of an attack, right after encryption and IT support, respectively. As an effective training program begins with executive buy-in, here are two steps you can take today for a more secure technological tomorrow.
Action point 1: Understand the real threat
Human error is the gateway to hacker activity. In fact, experts note that cybercriminal techniques increasingly exploit human, rather than technological, flaws—as evidenced by the cases above. At the same time, the risk of attack is on the rise, particularly for small businesses. Today, half of all attacks are aimed at SMBs, which often have less sophisticated training and prevention methodologies. Did you know that an enterprise-level attack now costs an average of $1.3 million?
Unfortunately, the vague threat of an attack is often not enough to inspire executive boards to action, as board members lack education about cybersecurity and its cost. In this survey, for instance, only 38% of business IT support managers said their boards had adequate information about company risk. (For a jump on that, download our Cybersecurity Infographic for some vital statistics.)
Overall, businesses benefit from a more holistic, top-down approach to cybersecurity. At the very least, that means including IT support managers at board meetings and strategic planning sessions, but ideally, you should work to make security a priority throughout every stage of the product life cycle, including very early development phases. IT should be viewed as an integral—not an ancillary—part of your operations.
Action point 2: Create a culture of security
Social engineering threats like spear-phishing are now enemy No. 1 for business IT support. Hackers have leveraged the same design techniques used by marketers to create professional-looking phishing emails that fool recipients precisely because they are so realistic. To further boost their chances of success, hackers often check the social media accounts of targets to gain exploitable personal information, such as a recent conversation with a friend or a new purchase.
Spear-phishing attacks like these are like the crank in a huge game of technological Mouse Trap (hint: your company is the mouse). In fact, 91% of data breaches begin with a spear-phishing email, and as often as IT support professionals warn against it, people still click links in emails.
That means users must grow even more sophisticated if they are to stay one step ahead of attackers. One way businesses succeed at this is by making cybersecurity and awareness training a cultural priority. Training is mandatory as well as ongoing, with regularly updated curricula, but it’s also fun. Keep in mind that lengthy PowerPoint presentations ultimately only accomplish one thing: They make you feel like you’ve done your part. To create real change, you’ll need to captivate employees.
Although cybercrime may be serious business, awareness training doesn’t have to be. Some companies gamify cybersecurity courses, while others invest in IT training courses created by comedy writers. Whatever path you decide to take, your business IT support provider should be able to help you generate a custom curriculum in which company priorities and culture take front and center. After all, your business’s cybersecurity is only as strong as your least informed employee.