Cybersecurity Awareness in 2022
By Paul King
Microsoft. Facebook. Colonial Pipeline. Volkswagen. T-Mobile. Neiman Marcus. The Virginia Legislature. Panasonic. Robinhood. Kronos.
Cybersecurity breaches are omnipresent these days, in organizations of every size and sector. The list of companies above represents just a small slice of the organizations that were impacted by a headline grabbing (or not) data breach in 2021.
However, you may be surprised to find out that some of your colleagues are unaware of these major hacks or haven’t considered what it could mean for them. For many of us, cybersecurity just isn’t on our daily radar, and so we don’t tune in because don’t we see how it impacts us, our work, our lives, our loved ones.
But the reality is that cybersecurity does impact each of us. From the big picture affects like security and efficiency in global supply chains, to the way it touches our individual privacy and digital identity. Understanding that digital security is everyone’s responsibility is key to keeping all of us safe at both the individual and the organizational level.
According to IBM’s 2022 Threat Intelligence Index, 95% of cybersecurity breaches have some element of human error. 95%. That statistic puts in stark relief the importance of your people in ensuring the security and viability of your company. As ITeck Consultant Aaron Cole says, “The chain of cybersecurity is only as strong as its weakest link. It only takes one user clicking the wrong link to allow a malicious actor in.”
Your employees are the front line as you work to protect your organization, its operations, and its data from today’s cybercriminals. Do you feel that you are adequately preparing your staff to confront today’s threats?
We believe there are three key pillars to building a strong and effective “human firewall.” They are deeply interconnected and incorporating each into your corporate culture is essential to building a more resilient organization and staff.
1. Training
Cybersecurity training is non-negotiable in today’s work environment. The modes and means of attack are so variable that in many ways, technical solutions alone can’t keep up. Your people really are your best line of defense if you provide them with the knowledge and the tools to effectively keep your information and network secure. But here’s the thing – a static cybersecurity awareness memo isn’t going to cut it. Dynamic training that engages staff at all levels and responds to the real time nature of today’s cybercriminal techniques and threats is essential to building the cyber resilience of your workforce.
In 2021, phishing (and the associated smishing and vishing*) was the most effective cyberattack method. IBM’s report noted that four out of every 10 attacks start with a phishing campaign that often includes targeted smishing and vishing components as well. Hackers using this method often imitate well known and trusted brands like Microsoft, Apple, and Google. Though most of your employees can likely identify most phishing emails, it only takes one person’s distraction or misjudgment to surrender your network to malicious actors.
According to a study conducted by Stanford University and the security firm Tessian, more than one third of employees surveyed indicated that they were “very” certain or “pretty” certain that they’d made a mistake at work that could have led to security issues at their organization. With attacks coming in so many different forms, it’s not difficult to see why. The Stanford/ Tessian report concluded, “Your employees are focused on the job you hired them to do and when faced with to-do lists, distractions, and pressure to get things done quickly, cognitive loads become overwhelming and mistakes can happen.”
Incorporate a regular training program that keeps security awareness at the forefront of every employee’s mind throughout the year. This is an important and relatively easy way to reduce risk, meet many compliance standards, and strengthen your organization’s security culture. “By normalizing training within the culture of the workplace, organizations can help maintain attentiveness for these practices long term.” Joseph Carson, chief security scientist at security firm ThycoticCentrify told TechRadar.
2. Policies & Procedures
Unfortunately, training alone can’t prevent all breaches. Instead, training is an essential supplement to the security structure provided by comprehensive cybersecurity policies and procedures. Do you have an Incident Response Plan in place should a breach happen? Does your staff know how they fit into that plan? Having such a plan in place before a crisis emerges can make a tremendous difference in the damage and cost to your organization.
Having a response framework at the ready can help inform critical decisions that have to be made in the high stress situations posed by, for example, a ransomware attack.
While phishing was the most effective attack method last year, Ransomware was the top attack type. In other words, attackers used phishing methods to gain access to the systems on which they then deployed ransomware. While ransomware has been the top attack type for several years, one troubling trend is the growing use of “triple extortion” techniques. In such cases, cybercriminals not only lock down an organization’s systems and exfiltrate sensitive or valuable data, but also expand their target to demand ransom from a victim’s clients, suppliers, partners or others within their business supply chain. If not detected early and contained quickly, such an attack could be devastating to your brand reputation, customer and partner trust, and your revenue stream.
Compounding the growth of cybercrime in today’s operating environment are the increased risks introduced by the hybrid workplace. Remote work can increase both the risk and cost of cyberattacks. According to IBM’s 2021 report on the cost of data breaches, “organizations that had more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches than those with 50% or less working remotely.” A longer discovery timeline also means a greater cost. IBM reports that in breaches in which remote work was a factor, the overall cost of the breach was more than $1 million greater than in cases where remote work was not a factor.
But the increased risk associated with a hybrid workplace is one area in which policies and protocols can make a tremendous difference.
The results detailed in IBM’s report are a ringing reminder that in the aftermath of our collective quick pivot to remote work, many organizations need to take urgent and necessary steps to secure their hybrid work environment.
From clear use policies around personal and company devices to logical but strict user privileges, reexamining your organization’s policies around cybersecurity is an essential step. However, an integral part of this process is integrating employee feedback into your policy development. Employee buy-in is essential to having IT policies (especially in a hybrid environment) that your staff are willing to follow. Kon Leong of ZL Technologies, Inc. recommends in Harvard Business Review, “Companies need to engage with the end-users to find out how far out of their way they’re realistically willing to go in their everyday activity to support cybersecurity efforts. In other words, avoid protocols that rely on them doing any more than they actually will.”
3. Culture
While implementing regular training and updating security policies is essential, it’s only one part of the cultural shift required to take on cybersecurity in today’s environment. Employee behavior plays an outsized role in the cybersecurity of your organization and staff buy-in is key to the success of any security protocols you put in place. Though it takes the investment of time and training, creating a culture of security awareness that permeates all levels of your organization can save you headache, heartache, and revenue in the long term.
What exactly is a cybersecurity culture? It depends in no small part on who you ask, but one fairly consistent theme is a corporate culture in which “people understand why cybersecurity is important; and they see themselves as part of the solution.” Ownership of the cybersecurity challenge cant’s stop at the c-suite either. Senior level executive are often prime targets of cybercrime so while it is especially important that leadership understands the risks and their role as a part of the solution, it’s also important that they set an example through participating in training and following protocols – an example that can be reflected throughout the organization.
Another essential component of security awareness culture is fostering an environment in which employees feel they can ask for help or report perceived mistakes without harsh repercussions. Destigmatize reporting mistakes in order to keep the channels of communication open within your organization and so potential breaches can be quickly diagnosed and contained.
Building on the impact of open communication, it’s essential to create trust between your staff and your IT department. Implementing regular outreach and transparency in IT protocols and actions can go surprisingly far in fostering that trusting relationship. In addition, collaboration between your IT department and your marketing department can help make sure that cybersecurity protocols and procedures are communicated internally in ways that are clear, concise, and relevant to each staff person within the organization.
Looking forward.
Effective training, policies and procedures, and the time and human inputs required to shift your organizational security culture may seem like a steep up-front investment. But when you consider that the average cost of a cybersecurity breach in 2021 was more than $4 million, we’d argue it’s a worthwhile investment. One third of the way through 2022 we are already seeing an expansion in some of the most effective cyberattack types we saw during the height of the pandemic, including the compromise of digital supply chains, expanded targeting of identity and access management systems, and the continued growth and evolution of ransomware attacks.
Today’s operating environment is exciting in lots of ways as remote work options increase worker productivity and can improve work-life balance. And new technology, software, and platforms create opportunities for innovative collaboration between colleagues around the country and the world. But it is also creating a fast-changing and quickly evolving threat landscape and organizations of all shapes and sizes need to be ready. Putting in place the structures to protect your organization and people from the threats we know of today is critical. But it’s equally important to invest in your organization’s cyber resilience so you can nimbly respond to the threats we can’t yet predict.
*Smishing and vishing are in essence phishing via text and phone calls, respectively. They are often used as a part of a coordinated campaign to get someone to give up their credentials.
*MFA = Multi-factor authentication. MFA is a security technology that requires multiple methods of authentication from independent credentials to verify a user’s identity for a login or other transaction. See our article on MFA to find out more.
Ready to build Cyber Resilience in your organization?
Let’s Talk!