The strongest weapon known to deter cyberattacks is not an impenetrable firewall (no such thing). It is not the most advanced anti-virus software. It is not the most resilient, robust IT infrastructure. While all those are vital to a robust cybersecurity program, it is your employees, and you as their leader, who are the front line of defense against cyberattacks. This also means that you and your employees also represent your greatest threat for these attacks. Let me explain.
The World Economic Forum, in its report on the Global Risks of Highest Concern, listed cyberattacks as eighth in a list of twenty-nine areas for concern.1 In 2015, losses due to cyber-attacks were put at $3 trillion dollars. By 2021, it’s projected to grow to $6 trillion dollars.
If you think your business is too small to be affected by this, think again. Small to mid-sized businesses are the favorite targets of the cybercriminal. Why? Because they invest less on IT infrastructure resilience making them more vulnerable to attack and invest less on training employees how to spot cyberattacks. This lack of investment can cause both a loss of revenue and reputation.
Surprisingly, a study by IBM in 2016 found “that 60% of all attacks were carried out by insiders! Of these attacks, three-quarters involved malicious intent and one-quarter involved inadvertent actors.”2 This is why your employees can be your greatest threat as well as the strongest defense against cyberattacks. What’s a CEO to do? Plenty!
The old adage “The best defense is a good offense” applies to your cyber security program. Since your employees are the front line of that defense, here’s what you must do.
Train your employees to spot cyberattacks from the outside.
Cybercriminals use some form of “social engineering” to gain entrance to your business. Social engineering is “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”3
The most common form is the “phishing email”. These emails look like they’re coming from a trusted source such as a bank, a customer, or a vendor, but they’re not. The links or attachments in the email may contain a computer virus which infects the entire computer environment. The virus may sit unnoticed in the recesses of the computer system quietly gathering and transmitting information out of the company to the cybercriminals. Worse yet, the email may contain a ransomware virus which will lock-up the computer system until a ransom is paid and a code transmitted by the “bad guys” to free up the system.
How can you tell if an email is a “phishing” email?
• Look for spelling or grammatical errors. Many of these attacks originate from outside of the United States by people not familiar with the language and these errors stick out.
• Is the sender asking for information they normally wouldn’t? Be suspicious of that email. Use “two factor verification” and call the sender and verify that they sent the email and need the requested information. Cybercriminals can “hijack” email addresses to make themselves appear legitimate.
• Roll your mouse over the url of an embedded link in the email. You’ll usually be able to see the actual hyperlink address. If it’s different than the name of the displayed link, assume that it’s fake and don’t click on it.
• Is the email from a government agency threatening action unless replied to? Government agencies, like the IRS or FBI, will send a letter, not an email, if there’s an issue.
Cybersecurity is everyone’s responsibility
This is not a problem for your IT staff alone. Everyone in your company has to take responsibility for cybersecurity because everyone with an email address is a target.
Here are some best-practices your company can follow:
• Invest in a cyber-awareness training program and make it mandatory for everyone from the C-Suite to the custodial staff
• Recognize employees who find and eliminate cyber threats
• Provide remedial training for any employee who inadvertently falls for a cyber attack
• Make cybersecurity activities a part of your employee annual review
• Immediately terminate network access for everyone who leaves the company regardless of the reason
• Bring your Human Resources policies in line to recognize and deal with this threat. Termination should be considered for those employees who repeatedly ignore your cybersecurity policies.
You, as a leader in your business, need to take the cybersecurity “bull by the horns”. This is not an IT problem, it’s an enterprise wide problem. You need to lead the charge in creating a cybersecurity offense program for your business to keep the “bad guys” out by never giving them a chance to get in.
3. [Google Dictionary]↩
David Discenza, CBCP, president of Discenza Business Continuity Solutions, has been involved in business continuity planning since 2009. He was the business continuity manager for the Risk & Information Management (RIM) group within American Express and currently works with companies in Philadelphia, New York City, Washington, DC, Baltimore, Connecticut, and nationwide to help them formulate plans they can implement when an unexpected business interruption occurs. David is certified as a Business Continuity Planner by the Disaster Recovery Institute International.