Are Businesses Cybersecure for 2020?
The threat to businesses from cyberattacks is now growing at an unprecedented rate and, far from the clichéd image of a hacker being a socially awkward hoodie-wearing teenager sat in his dark den of a room, most attacks are now carried out by either international organized crime gangs or state-sponsored groups. While many of these threats are sophisticated and require state-of-the-art software to repel them, it remains a fact that errors made by a company’s employees can open up sensitive data and bank accounts to third-party actors. One survey carried out by IPSOS for Shred-it found that, according to management responses, 53% of all security breaches were caused by human error. That is a massive jump from the 28% reported in 20181.
Company employees are generally targeted by hackers using what is known as social engineering. This encompasses a range of psychologically manipulative and persuasive strategies aimed at duping an employee to respond to an email or other communication in a way that will open up the company’s data system to malicious breaches. These types of attacks have become hugely more sophisticated than the original ‘Nigerian Prince’ scams of long ago and often successfully copy messages from sources that the employee would generally trust as safe, i.e., from their employer or another colleague. According to the Phishing Activity Trends Report by the Anti-Phishing Working Group (APWG), the second quarter of 2019 detected a total of 182,465 phishing sites. Again, this is a giant leap from the 138,328 found in the last quarter of 2018 2.
Another potential vulnerability that invites human error to open the doo r to a cyberattack is when employees use their own devices such as laptops, tablets, or smartphones for work, whether at the business premises or at home. These devices are much less likely to be fully protected than company data systems, and employees might also be tempted to surf the Internet and end up on phishing sites that will download malware, which could then spread to the company’s computer network. There is also the risk that the device could be stolen, hence revealing confidential information and passwords.
Steps to Cybersecure Your Business
Every single business, no matter how big or small, is at risk from a cyberattack. The average cost to a small company of an attack is around $200,0003, while larger businesses can expect a bill of over $1.1million4. On the other hand, it costs hackers very little to launch attacks. To create an effective defensive strategy, the first thing a business needs to do is to evaluate its current state of risk and consider the following points:
- Every business needs a person who will have overall responsibility for cybersecurity policy – a Chief Information Security Officer (CISO), with the relevant qualification or training. Larger companies should consider having a team of such security officers. However, the burden should not be on this person or team alone: everyone within the company that operates a computer needs to take some responsibility for identifying and reporting suspicious activity.
- The company’s senior management needs to have an excellent working understanding of the cyber threat, and an appropriate budget needs to be agreed to fund the best protective software and proper training for staff.
- A structured cyberattack protocol needs to be developed, and all members of staff need to be aware of it. Any employee should feel free to ask for guidance about security issues at any time, and all new cyber threats should be relayed to staff so that they are aware and prepared. It has been found that people do not always read emails immediately, so, as is suggested by an article by the University of York, an app such as Workplace could be considered instead5.
- The best protection software should also be installed and should be updated whenever necessary. The CISO also needs to make sure that all other software used by the company is updated regularly. The WannaCry cyberattack in May 2017, caused up to $4 billion damage worldwide and shut down much of the UK’s National Health Service. However it was only able to cause such catastrophic effects when a vital software update patch by Microsoft had not been installed quickly enough on those systems6.
- Last but not least, ongoing cyber defense training for employees is a necessity.
The Right Training for the Right Staff
Quite often, budget restrictions lead to only a handful of staff being trained about cyber threats in a one-off basis. This is nowhere near satisfactory. All staff need to receive training in a way that is relevant, easy to understand, and engaging. It also needs to be regular. This is for two reasons: the more often something is emphasized, the more likely it is to be remembered, and secondly, the threat landscape is ever-changing, and so new methods used by hackers need to be made known. One approach that seems to be having great success as a training method is gamification – ‘the use of game mechanics and game thinking to engage users in solving problems and to motivate them by introducing elements of competition and reward’7. This sort of training can be done in short stints on an ongoing basis. Beaumont Health Services, Price Waterhouse Cooper, and Deloitte are just three companies using this approach to training. Marc Mackinnon, the Cyber Risk Services Partner at Deloitte Canada, said, ‘At Deloitte, we are seeing an uptake in innovative gamified cybersecurity training solutions. Organizations are creating online communities to enter into friendly social competition and get rewarded to be security champions.’8
Every business, depending on its size and purpose, will have a different approach to making its cybersecurity as strong as possible. What is important is that there is the right mix of software protection and human threat awareness. One cannot work without the other. We are only a couple of weeks away from 2020, and predictions are that attacks will only grow in quantity and sophistication. No one will be safe from either opportunistic hackers or organized online gangs. If cybersecurity has not been at the top of a company’s agenda, and many studies have shown this to be the case, then the time for them to act is now.
- ‘Human Error Still the Cause of Many Data Breaches,’ HelpNetSecurity, 06/17/2019, accessed at https://www.helpnetsecurity.com/2019/06/17/human-error-data-breach/
- Phishing Activity Trends Reports 2019, Anti-Phishing Working Group, 05/15/2019, accessed at https://www.antiphishing.org/trendsreports/
- Scott Steinberg, ‘Cyberattacks Now Cost Small Companies $200,000 on Average, Putting Many Out of Business,’ CNBC, 10/13/2019, accessed at https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html
- Alison DeNisco, ‘Cyberattacks Now Cost Businesses an Average of $1.1M,’ TechRepublic, 01/15/2019, accessed at https://www.techrepublic.com/article/cyberattacks-now-cost-businesses-an-average-of-1-1m/
- ‘Human factors the Biggest Threat to Cybersecurity,’ University of York, accessed at https://online.york.ac.uk/human-factors-the-biggest-threat-to-cyber-security/
- James Hadley, ‘How Traditional Training is Weakening Businesses’ Cybersecurity,’ Forbes, 10/31/2018, accessed at https://www.forbes.com/sites/jameshadley/2018/10/31/how-traditional-training-is-weakening-businesses-cybersecurity/#177396444b0c
- Dr, Michelle Moore, ‘Gamification: A Winning Strategy for Cybersecurity Training,’ SC Magazine, 09/17/2019, accessed at https://www.scmagazine.com/home/opinion/executive-insight/gamification-a-winning-strategy-for-cybersecurity-training/
- Marc Mackinnon, quoted in: Stephen Baer, ‘Why You Should Gamify Your Cybersecurity Training,’ Forbes, 10/04/2017, accessed at https://www.forbes.com/sites/forbesagencycouncil/2017/10/04/why-you-should-gamify-your-cybersecurity-training/#6cc18d8a6271