“Eternal Vigilance is the Price of Liberty”
- Wendell Phillips, Jan 28, 1852
The instances of cybercrime have been rising progressively for almost three decades now. In 2018, the average computer user in the United States received sixteen phishing emails per month¹. That's not counting the higher attack rates for corporate Internet users. In this environment the only real-term defense is to inform all staff members about threats and security responsibilities, and to instill a state of constant vigilance into them.
The rule here is ”If there is ANY suspicion at all that an email is not what it appears to be, contact the person in question through another means, to make sure the message is genuine.” This can be by phone or a messaging application, or even by walking over to another cubicle. These three simple steps will provide a massive reduction in a company’s risk of exposure, provided ALL your employees follow them.
Because most ordinary employees are not computer geeks, cyber security awareness training must be focused on practical aspects of security, rather than technical ones. Scenarios, such as those on the preceding page, must be worked through, together with the security implications of each and the appropriate countermeasures.
Further, cyber security is an all-or-nothing endeavor, so ALL staff members must take part in basic training. This is likely to draw scoffs and derision from the company’s IT and Cyber Security employees, but all really does mean ALL. Remember that twelve percent of all those suckered by the mock attack study were IT and Cyber Security professionals, so these departments are by no means impervious to social engineering attacks, even if they do consider themselves to be bulletproof.
Ultimately it’s better to have your techies sitting bored through cyber security awareness training than to have them miss something and put your entire operation in jeopardy.
It’s also highly recommended to put IT staff through a secondary training program, advanced cyber security bootcamp, if you will. These individuals are your company’s second line of defense. They must insure that the network is locked down as tightly as possible, and they are the ones who must contain and remedy the damage if an intrusion attempt is successful. It pays to have them as prepared as possible.
Cybercrime is not static. The threat landscape changes. Incursion vectors evolve. New angles of attack are developed. That’s why any awareness training program must include periodic updates, to keep employees honed as the first line of defense, instead of having them slowly slip back into the realms of being security weaknesses.
Additionally, the organization’s state of cyber security awareness should be examined to gauge the effectiveness of the trainings. This should include testing at the individual level, through questionnaires and surveys, as well as random penetration tests and mock social engineering attacks. These measures are the only way to be sure staff remain in a constant state of alertness and conscious of their collective responsibilities for the security of the company.
The cyber security threat landscape is evolving rapidly, with new vectors and targets emerging regularly. Small and medium businesses face the greatest risks, with the number of attacks up eleven percent in 2018. A security health check will minimize these risks by eliminating security weaknesses. Find out more...