October is National Cybersecurity Awareness month, making it an excellent time to draw attention to this critical topic. Too many organizations continue to take their cybersecurity for granted, often with disastrous results.
The foundation of any good cybersecurity policy is employee training. Even the most robust and iron-clad cybersecurity plan will fail if employees don’t understand:
- The importance of cybersecurity
- How their actions can either help or hinder efforts to safeguard your organization’s digital assets
- How to identify suspicious activities (such as irregular network traffic or phishing emails)
- Who they should report any suspicious activities to
Though most of us are typically only aware of large scale cybersecurity attacks targeting large businesses (such as the CapitalOne hack that occurred earlier this year), small and medium-sized organizations are increasingly being targeted by cybercriminals.
The Cost of Poor Cybersecurity
According to the 2019 edition of IBM’s annual Cost of a Data Breach Study (conducted by the Ponemon Institute), the most common and most expensive breaches were the result of malicious cybersecurity attacks (as opposed to accidental breaches caused by human error or system glitches), and cost, on average, $4.45 million, with smaller organizations (those with less than 500 employees) suffering average losses of $2.5 million.
That sort of financial blow can cripple a small or medium-sized business, many of whom generate $50 million or less in annual revenue.
Not only can a breach cripple even a large, financially comfortable organization, but many cybersecurity incidents aren’t detected right away. According to the report, only 65% of breaches were discovered within the first year after the breach. 22% weren’t discovered until the second year, and 11% weren’t discovered until more than two years after the initial incident occurred.
Cybersecurity Awareness is More Critical Than Ever
Employee negligence is the leading cause of data breaches, accounting for 47% of all incidents. Employee actions that compromise cybersecurity are rarely malicious. In many cases, employees may not understand that their actions (such as leaving their work laptop unattended at Starbucks while they head to the counter to order another coffee, or working remotely using public wifi) endanger the company.
Organizations with BYOD (Bring Your Own Device) policies are particularly vulnerable, as the company doesn’t have direct control over the devices being used to access their internal networks.
How Can I Protect My Organization?
Cybersecurity is everyone’s responsibility, but your employees can only help safeguard your organization’s digital assets if they understand why cybersecurity is important and how their actions can either endanger or safeguard your digital assets. Awareness is the first step towards crafting a robust yet flexible cybersecurity policy to meet your organization’s needs.
Provide Employees with Regular Cybersecurity Training
Your employees may have been provided with some basic cybersecurity training as part of their onboarding, but that isn’t enough. Cybercriminals are continually changing tactics and evolving, so your cybersecurity practices need to adapt to new and changing threats.
Regular training not only helps remind employees why cybersecurity is important, but it also reinforces good habits (such as choosing strong passwords and not leaving devices unattended). These regular check-ins also ensure that any policy changes are communicated promptly and effectively and that employees have a chance to ask questions and gain a more detailed understanding.
Stress Test Your Defenses
You may also want to consider conducting regular pen (penetration) tests or running through common tabletop scenarios. A pen test involves hiring an ethical hacker to stress test your organization’s cybersecurity by attempting to break through your defenses and gain access to sensitive information. The ethical hacker takes detailed notes as they work, and flags any vulnerabilities they were able to exploit. Once the test is done, the hacker then sits down with you to share their findings.
A tabletop scenario is more like a fire drill and allows your employees to respond to a hypothetical cybersecurity incident in a zero-risk environment. This not only gives your employees the chance to test their responses but also gives you valuable insight into your current cybersecurity protocols. Once the scenario is finished, you can review your response and flag any problems or gaps you encounter so they can be rectified.
Review Your Cybersecurity Policies Frequently
There are several essential cybersecurity best practices you may already have in place (such as keeping your software up to date, using firewalls, and enforcing safe password practices), but you should be taking the time to review your cybersecurity policies at least once per year.
Lead By Example
It’s one thing to create strong cybersecurity policies and talk about why cybersecurity is essential; it’s another thing entirely to follow that advice yourself. Cybersecurity is everyone’s responsibility, from the CEO all the way down to the summer intern. Employees are more likely to follow best practices if they see their superiors doing so because it reinforces that these policies are more than just talk.
Make Sure Employees Have Someone to Turn to For Help
Even if your employees know how to recognize suspicious activities, that knowledge is useless unless there is someone to act upon it. Employees need to know who they should report suspicious activities to, and the person they are reporting to needs to have both the knowledge and the agency to investigate those suspicious activities, determine if they are credible, and react accordingly.
Consider Seeking Out Expert Advice
Effectively safeguarding your organization’s digital assets from cybercriminals can feel like a daunting task. Not everyone is a cybersecurity expert, and that’s okay. That’s why many organizations choose to outsource their cybersecurity to MSSPs (Managed Services Security Providers). A good MSSP will not only monitor your network and alert you to any suspicious activities, but they will also help you assess your unique cybersecurity needs and craft a robust yet flexible cybersecurity solution to meet those needs. They can also help you train your employees, respond effectively to a cybersecurity incident if one occurs, and investigate the incident thoroughly so that your cybersecurity policies can be improved to prevent similar incidents from occurring in the future.