How to discuss cybersecurity threats and strategy with your board
June 21, 2019Importance of Threat Intelligence
July 15, 2019How to discuss cybersecurity threats and strategy with your board
June 21, 2019Importance of Threat Intelligence
July 15, 2019Securing the Weakest Link
While a talented 24/7 security operations center using good security tools can prevent the vast majority of threats, still people play a critical role on the front lines of your organization’s cyber security efforts.
Research by IBM found that human error is responsible for 95% of all security incidents
Let’s take an example, an employee, Anna, is checking her personal email at work and opens an email that promises she will lose $10 within the next week. She clicks the link inside the email and without her realizing it; this action deploys a malware on to her workstation. Not only is the malware now on her system, but it is also infiltrating the network.
Only 22% of information workers are concerned about security at their organization. Why? Because poor security awareness is the single biggest obstacle to defend against cyber attacks.
Security Awareness
Security awareness is a way to ensure that everyone at your organization has an appropriate level of knowledge about cyber threats, along with a sense of the potential impact it will have on the business and the steps required to prevent cyber attack from infiltrating their workspace.
The way we see it, the first line of defense in any security posture is your controls: how you enforce security best practices and prevent successful compromise. The second line of defense is detection: how you identify attacks or attempted breaches, or how you know whether your controls are working. The third line of defense is your people: how aware they are of security and what they are doing to avoid being a weakest link.
A good security awareness program should arm your third line of defense by educating them about the first and second while giving them the tools they need to do the right thing day in and day out.
Invest in a Security Awareness Program
A security breach survey by PWC (Price Waterhouse Coopers) showed that 75 % of large organizations suffered a staff-related breach and 31% of small organizations had a similar occurrence.
Simply put: People are the weakest link in any organization's cybersecurity defenses. This overly stated fact possibly will sound like a buzzword, but a quick glimpse at incident records, such as the famous Target case, or the more recent WannaCry massive attack, will show that even with the best technology in place, if the human factor is not taken good care of, the levels of exposition to threats, and subsequent impact, is way higher than what most would call acceptable.
Security awareness programs are important because they reinforce that security is the responsibility of everyone in the organization (not just the security team).
Remember that study we mentioned earlier? Last year the FBI reported a staggering $12.5 billion has been lost due to email fraud.
Now consider that many of the high profile breaches we have read about recently in the news originated from a single successful spear phishing email.
Below are some of the breaches that are the result of the lack of security awareness across the organization.
Yahoo Hack
The 2014 Yahoo hack was significant, endangering up to 500 million users, which included usernames, phone numbers, security questions, answers, password recovery emails and cryptographic values associated with each account.
The 2014 Yahoo attack used a spear phishing attack targeting “semi-privileged” Yahoo employees. One employee fell for the email, granting the attacker access to the Yahoo network and allowing them to dump the Yahoo users database.
WannaCry - the biggest phishing attack to date
In May 2017, one of the biggest phishing attacks in history left organizations such as the NHS, FedEx, Nissan and Hitachi crippled. This attack hit more than 150 countries and 200,000 computers worldwide, and was sent via an email that would trick the recipient into opening attachments, which then released malware onto their system. Investigations found that many users (including the NHS) had not installed patches from Microsoft, leaving them vulnerable to WannaCry’s rampage. Alongside this, the NHS were told that they were at risk of a cyber-attack, and did very little to prevent it.
According to Secure works, 2018 Incident Response Insights Report, 42% of attackers gain entry from successful phishing scams, reinforcing the need for ongoing employee education.
Sony Pictures Entertainment
It all began when the company’s top executives received fake Apple ID verification messages via email. Each email redirected the recipient to a phishing website, which accessed the Apple information of these executives. The attackers also used the information to gain access to LinkedIn profiles of the employees, as they tried to access Sony’s network. The attackers crippled the networks, making off with a 100 data terabytes.
Benefits of Security Awareness Program
Here are some benefits of Security Awareness Program that show how it can help protect your organization from attackers, and other bad actors.
- Training reduces errors. If a program is implemented to teach them about common attacks, such as social engineering attacks that may contain malware or phishing emails to steal personal information, they are much less likely to accidentally click links or open files.
- Training enhances security. With vigilant employees using strong passwords, flagging suspicious emails, and alerting supervisors about unusual communications or activity, the organization itself becomes less vulnerable.
- Prevent downtime. Should a breach or incident occur, it takes considerable time to investigate and recover. That’s precious time that your staff has to devote to getting back up and running. This is likely to wreck your workflows and deadlines. Downtime, even for only a few hours, can cause severe disruption.
- Prevent reputational damage. A security breach can destroy confidence in your brand, causing consumers or clients to flee in droves. One study shows that 60% of small businesses go under within 6 months of a successful attack.
- Your organization will save time, money and assets. It takes on average more than 7 months to identify and recover from a successful cyber-attack. According to the IBM Ponemon 2017 Cost of Data Breach report, the average cost is $3.62M. That’s $3.62M that you could have put into other projects. It’s best to invest in training from the beginning to keep those dollars and protect your assets.
- You will have peace of mind. Having a strong security policy coupled with security awareness program means less worrying. You’ll be able to relax more, and perhaps even get a good night’s sleep, knowing that everyone is on the same page.