Back To Basics: Cybersecurity Is Everyone’s Job

Perry Carpenter is Chief Evangelist for KnowBe4 Inc., provider of the popular Security Awareness Training & Simulated Phishing platform.  

Cybercriminals keep finding new ways to breach corporate networks, no longer relying on faulty code and outdated technology. Cyberattacks have evolved from randomly targeted “spray and pray” to highly selective and sophisticated attacks that are costly to mitigate. This means that today’s organizations need to devise protections across the full cyber kill chain.

Interventions and technologies have evolved as well. Organizations boast advanced security stacks that are perhaps more intimidating for security teams than for attackers. However, many organizations remain negligent of the one attack vector that’s at the heart of most cybercrimes: humans.

As attack methods evolve, we have seen a shift to targeting people and processes in addition to technology. Deloitte says social engineering is to blame for most cyberattacks, including headline-grabbing ransomware, with 91% beginning with a phishing email. Cybercriminals trick employees into divulging sensitive information, like their credentials, or taking actions such as clicking on malicious links or attachments. It’s not a new manipulation technique, but the tactics have changed and so have the stakes.

Unfortunately, cybercriminals seem to be a step ahead of executive leadership when it comes to understanding human behavior, meticulously studying individual victims for weeks to spot weaknesses. The result is carefully crafted and orchestrated phishing attacks that can successfully trick victims.

Data Proliferation Meets Remote Work: A Recipe For Burnout

Cybersecurity experts had predicted the data explosion in volume, variety and velocity for years, and they warned of the privacy and security challenges that were bound to follow. What they didn’t fully anticipate was the rapid movement to remote and hybrid work in the wake of the pandemic. Global shelter-in-place orders triggered digital transformation at an unprecedented scale, and speed won at the cost of security. The combination of remote work and data proliferation trend has led to an alarming increase in cybercrimes.

Overburdened IT and security teams, juggling accessibility and security, remain the unsung heroes of business continuity during the pandemic. They bore the burden of accelerated IT initiatives which were exacerbated by a cybersecurity skills shortage. Stress and burnout have become a major issue, with 47% of cybersecurity professionals working over 40 hours a week. This level of stress is unsustainable, and may lead to a worsening of the skills shortage — already, as many as 2.7 million cybersecurity positions remain unfilled worldwide.

Rethinking Organizational Culture

Remote working is here to stay; data continues to grow in both speed and volume; the cyber skills shortage is expected to get worse. With all this, it’s no surprise that the surge in cybercrimes depending on human error shows no signs of abatement. For organizations, this situation calls for a complete overhaul of the existing security culture and a breakdown of traditional business silos. Here are two steps organizations need to take ASAP.

1. Foster A Culture Of Security

It’s futile to create an isolated security strategy that interferes with business strategy and productivity. Businesses simply can’t afford to lock down all resources; they need quick access to data to stay relevant and competitive. To balance security and accessibility, executives need to foster a culture where security is an active part of business strategy. Security should always be top-of-mind for everyone, not just the security team. For employees to take responsibility for security, at home and in the office, cybersecurity awareness and training is paramount.

2. Train And Test Employees

Employees must know the gravity of the situation so they understand the imperative of abiding by security policies such as multifactor authentication and fair-use policies. Training programs can keep them up to date on real-world threats and the harm they bring. Programs can educate employees on how to strengthen their home network, keep credentials safe, detect and report malicious emails and responsibly use VPNs.

Phishing awareness and training programs can substantially reduce cybersecurity risk. On top of training, I recommend simulated phishing tests to keep employees vigilant and familiarize them with modern-day phishing tactics. These tests give employees practice in spotting scams and properly escalating the issue to security leaders.

Final Thoughts

Data is everywhere, and no industry is immune to attack. Cybersecurity isn’t a one-off battle that organizations can win conclusively; it’s an ongoing war with daily battles, thanks to phishing scams. And yet, the only battle that people will remember is the one that’s lost.

Continuous security is possible if it becomes ingrained in the organization’s culture and an integral part of each role within it. It’s past time to consider security a business imperative, not solely the responsibility of IT. Training employees to serve as a human layer of defense is paramount, as is fostering a culture where every individual understands, appreciates and accounts for security.

Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?

Source link

Leave a Comment