Think again on cybersecurity training – human error continues to drive attacks

Think again on cybersecurity training – human error continues to drive attacks

Excerpted from a Taft Stettinius & Hollister LLP Blog by Kristin Hardy

You might think your run-of-the-mill cybersecurity training is sufficient. You might think that by “checking the box” on generic training you have fulfilled your obligation to mitigate data and cybersecurity attacks. You might think that general malware protection adequately secures your company’s data and you can move on with everyday business.

Think again.

“Human error” continues to be the number one driver of data breaches. Over 85% of all data breaches are caused by an employee mistake, according to “Psychology of Human Error” by Stanford University Professor Jeff Hancock.

Human error takes many forms. From the use of stolen credentials and misuse of company information to phishing or malware links. Cybercriminals have developed creative tactics to steal information. Malware attacks are hackers attempting to infiltrate networks, computers and mobile devices with malicious software.

An unassuming click to open a link is all it takes to enable a malware disaster. Social engineering tactics are often used to get employees to send bank account information, provide passwords and other confidential information. Psychological manipulation is the bread and butter of social engineering.

Such efforts target human interactions by tricking persons into thinking they are receiving an email from a trusted source, perhaps a friend or business partner. Email content may consist of an urgent request, portray legitimate branding to make the email appear trustworthy, request your “verification” of information, or pose as a boss or coworker.

Employees need to be trained and continuously reminded when conducting business. Technology can only take us so far in securing information from cyberattacks, especially with respect to social engineering. In the hustle and bustle of everyday business, it’s easy to flit from email to email, shooting off quick responses without glancing at the subject line or name of the sender.

Some of the simplest requests from a seemingly innocuous email can lead to the leak of valuable information. Do you recognize the sender’s email address? Are there spelling mistakes in the email? Is the company or individual familiar?

Cybersecurity attacks can be incredibly costly, causing financial and emotional heartache from the click of a button. Aside from financial ramifications, data breaches may reflect negatively on your business’s reputation, cause you to lose clients, and may even lead to significant litigation and government fines.

The best approach in managing privacy and cybersecurity training is a proactive one. A primary goal should be to create a smarter, more attentive security culture.

Create a culture of awareness to cybersecurity matters. Establish clear expectations and training regarding data security and privacy. Keep cybersecurity risks top of mind by providing bi-monthly or quarterly training or cyberattack campaigns. In addition:

    • Train employees to recognize social engineering tactics and phishing emails;
    • Ensure that employees properly manage passwords;
    • Enable multifactor authentication;
    • Train employees on the importance of data like Social Security numbers and credit card information;
    • Emphasize that cybersecurity is everyone’s responsibility.

Companies must stress the importance of cybersecurity to every employee. It cannot be the sole responsibility of the IT department. Even the best IT department practices can be undermined when employees fail to follow best practices.

If you don’t already have one, develop an Incident Response Team (IRT). In today’s age where technology rules, a cyberattack is a matter of when, not if. It is advantageous to run simulations and train employees on how to handle a breach, for example:

    • Alert IRT personnel;
    • Confirm the breach;
    • Ascertain the source of the breach;
    • Assess the damage;
    • Begin the notification process;
    • Take actions to prevent a reoccurrence;
    • Implement robust training and security measures.

The longer it takes to respond to a cyberattack, the more costly it becomes.

For the full story, please click here.

Site Designed and Developed by Agency Creative