Edward Snowden and the NSA. Facebook and Cambridge Analytica. The Russian government and the 2016 presidential elections. Yahoo. Equifax. Office of Personnel Management. LinkedIn…. The list of hacker attacks, data breaches, information leaks and other cybersecurity incidents is varied, long and growing. Cybercriminals show no signs of slowing down. And as more and more of our interactions move online, we increase our risk of falling victim to the next attack.
Cybersecurity is no longer just a security issue for the IT department. It’s a business issue, a core concern of every single employee. Why? Because the most serious security threat to any organization is its people! Find out what’s happening now with cybersecurity, what all of your employees need to know and how you can create a cyber-smart culture.
Cybersecurity Facts and Trends
There were fewer government leaks and global ransomware attacks in the first six months of 2018 compared to last year. Yet hackers from around the world are active and bold – cooking up more devious ways to access personal data and company information. Here are just a few facts and trends compiled by Comparitech for its 2018 100+ Terrifying Cybercrime and Cybersecurity Statistics & Trends report:
- Globally, cybercrime was the 2nd most reported crime in 2016
- An attacker resides within a network for an average 146 days before detection
- Hackers are attacking computers and networks at a “near-constant rate,” with an average of one attack every 39 seconds
- Most network intrusions—63 percent—are the result of compromised user passwords and usernames
- Globally, 8 percent of malicious email attachments are docm files (a type of Microsoft Word XML file that executes macros)
- In 2016, the U.S. had the most data breaches of any other country, by a large margin. There were 1013 data breaches in the U.S. Second was the U.K., with just 38.
- Mobile platforms are one of the fastest-growing targets for cyber criminals. Symantec identified 18.4 million malware detections in 2016, a 105 percent increase from 2015
- $3.8 million: The average cost of a data breach to a business
- 32 percent of U.S. organizations were victims of cybercrime in 2016, with 34 percent expecting to become victims in the next two years
- 43 percent of cyber-attacks against businesses worldwide target small companies
What Your Employees (and Leaders) Need to Know
Employees communicate by email, often on mobile devices, to colleagues across the organization. And each of those touchpoints present some risk to the organization. Every employee, in any role at any level in the organization, should learn to follow the most basic cybersecurity rules, including:
- Passwords: Use strong, unique passwords, with upper and lower case letters and numbers. To keep the passwords truly random and unique, use a password generator for each account. Use a password manager to keep them all in one place without having to memorize them or write them down.
- Emails and Texts: Only open links and attachments from known senders. Even if you know the person, if the email or text looks questionable, contact the sender to confirm it’s real.
- Websites: Only visit secure websites – especially if they require a password or financial information. Look for an “s” at the end of the “http” (https://…) before you click. If it’s not there, skip the site and find the information from a secure source.
- See Something?: Homeland Security has trained us to “see something, say something” when it comes to unusual behavior in the community. It’s just as important to report a colleague’s suspicious behavior in the workplace.
- Lost Devices: A lost laptop, smartphone or tablet can have a wealth of personal, company and client data on it. Report all lost devices – especially those that are lost while on international travel, since some countries are less secure than others.
Some roles in the organization require specific cybersecurity skills and competencies that help prevent or manage an attack.
- Management Team: It’s up to senior managers to ensure that cybersecurity is “baked into” the fabric of the organization. From the strategic plan to the annual goals to budgeting and resources. Management also oversees a strong incident response plan to address vulnerabilities and guide a cyber incident response.
- IT Professionals: The CIO and IT team are responsible for making sure that the file servers, firewalls and company-supplied devices are all set up on a secure network. They also need to have tools and skills in place to detect and combat cyber intrusions. Staying current on evolving threats and available tools is an important responsibility, as well.
- Engineering and Product Managers: For organizations that develop or integrate technology for clients, engineers and product managers need to follow all best practices for developing secure code.
- Learning Leaders: Not all cybersecurity training is effective. Learning leaders need to know what skills and competencies are sought – then select training options that fit each need. IT professionals could benefit from simulated intrusion detection exercises. Simulated email phishing attacks, with follow-up training for employees who click on suspicious links, are far more helpful than a text-only or video-only learning experience.
Creating a Cyber-Smart Culture
A cyber-smart organization is one where every employee takes responsibility for avoiding cyber mistakes and oversights that could lead to devastating results for their company. Employees and leaders are knowledgeable, confident and proud of their approach to cybersecurity. They understand that being cyber-smart makes the organization (and the employees) more valuable.
Creating a cyber-smart culture may sound overwhelming, but it’s really just a matter of inserting cyber smarts into the processes and programs you have in place.
- Skills and Competencies: In recent years, competency models have been developed for the cybersecurity industry. Both the National Initiative for Cybersecurity Education (NICE) and the DoD Cyberspace Workforce Strategy have security models. Be sure cybersecurity competencies are appropriately included in every employee skills gap assessment. Consider extending your assessments to contractors, too.
- Learning and Development: Include some cybersecurity training as part of every employee’s individual learning plan. Consider creating certificates that celebrate cyber-smart employees, to reward their effort in learning what they need to know.
- Leadership Development: As employees and managers move into more responsible roles in the organization, be sure the cybersecurity competencies associated with the roles are clearly communicated and reinforced.
- Internal Communications: Use your newsletters, emails and company meetings to keep the workforce up to date on your cyber-smart initiatives. Find a consistent way to notify employees when a new threat arises. Make a practice of “catching” employees doing the right thing (shredding customer information, locking computer screens at the end of a day or asking about a suspicious email) and highlight their good deeds as best practices. Celebrate National Cybersecurity Awareness Month together every October.
- Sales and Client Communications: If you’re creating cyber-secure software, emphasize that in your product collateral. If your organization participates in cybersecurity think tanks, associations or other organizations, note that in your sales and marketing communications. In proposals, account reviews and meetings, periodically remind your clients of your cyber-smart company – where every employee is helping to keep their data safe.
Cybersecurity comes down to people. Employee behavior can make or break the prevention of and response to a cyber incident.
Are you ready to build the cybersecurity competencies of your workforce? Read our new whitepaper, Advancing Cybersecurity with Competency Management, for ideas about how to get started. Or contact us for a conversation. We’d love to help!