In the Fight Against Hackers, You Must Use Your Staff!
Cyber-crime is a really big problem now! But an even bigger problem is that many companies just don’t know it yet, nor understand the likelihood of a cyber breach occurring and its financial impact. And in the fight against cyber-crime, your staff are literally your biggest asset because they are also the hackers biggest target!
Hacking is an industry
So why is cyber-crime so bad now? It’s because an entire worldwide industry has been built around hacking, with the sole purpose of stealing information and money, and most people on the planet are a potential target. We’re not talking about 12-year-olds sitting behind a computer trying to get bragging rights anymore- those days are long gone. We’re now talking about things like organised crime, renting hacking software out to people with no technical skills, and essentially a never-ending supply of hackers trying to scam you for whatever they can, in increasingly ingenious ways.
They have constantly adapted to find the weaknesses and target them, so they’re generally not wasting time trying to crack into your company’s IT systems through your security hardware and software. They now take the easy way out and target staff by doing things like:
- Sending out a multitude of trick emails (phishing).
- Phoning and pretending to be someone they’re not, gaining trust and manipulating (social engineering).
- Walking into your secured office confidently behind someone else and stealing logins, information or hardware (tailgating).
And the big-ticket item here is tricking staff with emails because it can be done in mass volumes, it’s cheap, quick, and successful. Accordingly, up to 85% of cyber security breaches are initiated via staff clicking on something they shouldn’t!
This is now the world we live in
Scary stuff for sure, and frankly if you don’t do something about it you become the soft target. Think of the house on the street with the security doors, window screens and burglar alarm. Too hard,… move on. But the easy target gets burgled, and then it gets burgled again in another month. Hacking is the same – once they’re in, there’s a good chance you won’t even know and they’ll keep stealing your information and using it to their advantage. Your customers data can be leaked, your files can be all encrypted on a certain date, and suddenly you have no business and you probably have to report the breach to the Office of the Australian Information Commissioner and your customers (via the mandatory data breach notification scheme).
Then the pain really starts because you incur costs due to:
- Lost productivity
- Repair and recovery costs
- Damage to reputation
- Lost customers
Lost information and the above costs are exactly why 60% of companies that suffer a major cyber security breach are out of business in 6 months or less. Yes, that’s a very confronting statistic!
Scare yourself into action if you have to
Something I like to relate cyber security awareness to is riding my motorbike. It’s a risky proposition, and to ward off the complacency I sometimes watch motorbike crashes on YouTube. Weird as that may sound, I do it to remind myself of the dangers, how to spot them, and how to deal with them. I then implement what I have learnt.
So what should we be doing to be proactive?
- Check your IT contracts for limit of liability. Companies supplying your IT services should own their failings that lead to a breach, and not pass them onto you.
- Ensure your backup regime is incredibly robust. And you want to store backup data at regular intervals, do regular tests to ensure the backups are working, and that you can successfully restore the data.
- Develop “Disaster Recovery” and “Business Continuity” plans. When things go really bad, it’s really helpful to have plans to follow so you remain as functional as possible and minimise the disruption to your customers. You also need to test and refine these plans.
- Develop policies and procedures for how to protect against, detect and respond to cyber security breaches.
- Test the security of your systems with a penetration testing service.
- Get cyber insurance if you need to.
But most Importantly….
And consider how you train your staff. This is not a compliance exercise where you want to tick a box – you want your staff to be fully engaged and learning so that they retain the knowledge and implement it.
So, if you’re going to use an online course, make sure it’s interesting enough that people don’t go into autopilot, or multi-task. If you’re going to use an onsite trainer to maximise engagement, make sure they are fun and knowledgeable! Why do I mention fun / interesting? Let’s face it, cyber security is not everyone’s cup of tea, so it’s incredibly important to ensure your staff are fully immersed in the training!
It’s no longer a matter of “if” a breach will happen, but “how often” and “how bad”. Be proactive and use your staff to greatly reduce the probability of a cyber breach, and the impact it will have on your company and your customers.
About the Author: