Companies can combat a lack of employee awareness about cyber-attacks by offering regular, consistent training, communication, and awareness.
A recent study by Wombat Security Technologies reveals some startlingly alarming insights about workers’ awareness of cyber threats.
The study indicated that there are large sections of employees who are not aware of the threats from bad actors and what they can do to prevent attacks that can cripple companies’ credibility, brand, and bottom line. Fortunately, there are a number of steps companies can take to better educate the workforce and prevent inside threats from unwittingly inviting potential catastrophe.
The study of 2000 working adults, evenly split between the United States and the United Kingdom, provided interesting results about some of the core threats companies face today. Among the findings:
- 39 percent of U.S. employees and 22 percent of U.K. workers did not know that malware is a type of software that can harm files, devices, and systems.
- 30 percent could not define phishing correctly as fake emails sent to prompt someone to open a file or visit a website that creates a security vulnerability.
- Only 37 percent of U.S. workers and 42 percent of U.K. employees correctly defined ransomware as software that blocks access to files and disables operating systems unless payment is provided to unlock the systems. Twenty-one percent of U.S. workers and 39 percent of U.K. employees did not even hazard a guess.
- Fifty-eight percent of U.S. respondents and 37 percent of U.K. respondents falsely believed anti-virus software can stop a cyber-attack.
- Thirty-five percent of survey takers use 4- or 6-digit pins to unlock mobile devices, while 11 percent use no lock at all.
- Far more U.S. employees (71 percent) than U.K. workers (39 percent) have corporate-issued smartphones or laptops, which are most frequently used for checking email, online shopping, streaming media and reading news.
- One notable difference: 45 percent of U.K. employees do not allow family members or friends to use corporate devices to check email, view social media, shop, read the news, complete homework or play games. For U.S. employees, anywhere from 39 percent to 50 percent allow others to use such devices for one or more of those tasks.
Managing Risk
The lack of awareness is borne out in some of the statistics regarding ransomware and other cyber intrusions. The Justice Department’s Internet Crime Complaint Center (IC3) tracked 7,700 complaints of ransomware from 2005 to 2016, resulting in an estimated $58 million in damage to affected companies, government agencies, and nonprofits. The costs include ransoms paid (between $200 and $10,000) to regain system control and costs related to lost data, repairs, and communication about the incidents.
These attacks are growing more frequent, too. In 2015 alone, the center logged 2,500 cases costing $24 million to affected organizations.
Security software company Symantec reported some alarming statistics in April 2017 about the growth in number and size of attacks:
- In 2016, there were 15 breaches affecting more than 10 million exposed identities, up from 13 in 2015 and 11 in 2014.
- Nearly 1.1 billion identities were exposed last year, about the same as in 2014 (1.2 billion) and nearly twice those exposed in 2015 (564 million).
- Of the 1,200 breaches Symantec reviewed in 2016, the average breach exposed 927,000 identities.
- Attacks on mobile devices are growing, with 606 identified vulnerabilities on iOS and Android mobile systems in 2016, up from 552 a year prior and just 200 in 2014 (which included 10 BlackBerry exposures).
- Symantec identified 463,000 ransomware attempts from 101 different families of infection, with the average ransom amount paid at $1,077. Those numbers skyrocketed in one year, with 2015 having seen 340,000 attempts from 30 families and an average paid ransom of $294.
As technologies have evolved, so too have the risks of a cyber attack. The growing use of cloud computing and the Internet of Things means there are more devices and more locations that need to be protected.
Employees at the Front Lines
Employees are an essential first line of defense in the battle to protect systems, devices, and data from potential harm. With the right education and training, bolstered by rigorous operational monitoring of systems, the organization can stay secure. Here are a few tips for helping employees learn about and prevent harm.
- Communicate Frequently. Employees need to be made aware of the importance of cybersecurity. Lay out the impact of an attack on the organization and its operations. Spell out employee obligations when it comes to vigilance. This communication needs to be direct and frequent, not relegated to an annual signature acknowledging understanding of IT policy.
- It Starts at the Top. Senior leadership can be particularly vulnerable to attack, partly because IT staff often are lenient, partly due to the amount of travel and access to unsecured networks, and partly due to the potentially greater damage that can be done by accessing executive files.
- Impress on Employees Their Impact. Employees should understand the ease with which a hacker can gain access to a system. Encourage cooperation and close eyes. Encourage employees to question suspect emails and files and report them to IT staff. Recognize that workers are only human and that mistakes will be made.
- Create Deliberate Training. Consider making cybersecurity a part of new-employee onboarding. Hold regular conversations with employees over meals or at their staff meetings. Reference recent news stories about large attacks and the impact of those intrusions on the companies affected.
- It’s Not Just Email. Employees should be aware of the multichannel approach to infiltration that hackers use today. Some have resorted to calling employees, posing as a customer or colleague, in order to gather useful information. Social media invites, blogs, and suspect links can all lead to an attack, too.
- Know How to Recognize. Employees need help with identifying when something is suspicious. Train and communicate the step-by-step instructions employees should take if they suspect they’ve been attacked or see something curious. These steps include disconnecting the device from the corporate network and notifying a manager and IT staff immediately. False alarms are OK. It’s better to err on the side of caution and employees should never be criticized for raising a flag.
There are many things the organization can do as well to ensure safe computing, including:
- Create and review a business continuity plan in the case of a ransomware attack.
- Use strict access controls, especially for administrative access.
- Monitor usage patterns, logs, and other employee activity, looking for patterns of irregular behavior that could indicate an employee is intentionally causing damage or setting up for an infiltration.
- Use multiple and overlapping defensive systems to protect against failures in any one technology.
- Develop a data security policy that determines whether data is encrypted when transmitted and at rest
- Have strong password requirements and require users to change passwords often.
- Keep operating systems and software programs updated on all devices for all users.
Vigilance, commitment, and sound policy will help companies and their employees keep data and systems secure. With each new successful attack, hackers become emboldened to try to do more damage. Protection is the key to keeping the bad guys out.