Addressing the Weakest Link in Privacy and Security…People
Most large corporations have multiple layers of data security in place to protect their networks. Small and medium-sized businesses (SMBs) are also beginning to implement more robust data security practices. Even with multiple layers of security, something that all companies have in common is that their employees are human. Technology continues to change and make it harder for cyber criminals however people are always the same. Therefore cyber criminals are focusing their tactics targeting human fallacies. Security Magazine reported that human error caused 95 percent of cyber-attacks.
Humans often engage in dangerous cybersecurity behaviors, such as sharing sensitive data on unsecured public Wi-Fi networks and using the same login credentials for multiple websites. Additionally, people may readily respond to emotional or urgent pleas that they think are from their employer or another trusted source. Other times, they get so busy with their work that they fail to notice the signs of a suspicious email.
Despite the natural cybersecurity risks humans can bring to your business, properly trained employees can also become a major asset to cybersecurity. Businesses can and should make improvements to protect their networks from human error and empower their employees to be active defenders of data security. When employees understand the crucial role they play, and employers give them the right tools to make wise decisions concerning data security, the overall risk to your business can decrease.
Elements of Cybersecurity
A successful cybersecurity program includes a layered approach that focuses on:
- Technology – Properly programmed and installed technology creates layers of protection that you can count on to protect your network day and night. Technical control can include firewalls, multi-factor authentication, encryption, malware detection, notifications for unauthorized access, endpoint security, cloud security, application security, and more. Even though most of these technologies work in the background without much human intervention, every company should have a designated security officer who ensures that these programs run smoothly and in line with the latest technology in cybersecurity.
- Policies, Processes and Procedures – All businesses should implement standardized data security policies, processes, and procedures. These can include methods for data collection and storage, the type of data collected, how sensitive data is transferred between applicable parties, network security policies, vendors’ access to data, and steps to mitigate a breach. Tested and up to date policies, processes and procedures are the primary control to manage the human risk factor.
- Training – A business is only as successful as the people that operate it, therefore proper training and procedure auditing of staff, consultants and third parties are critical to decreasing your risk of data loss.
Examples of Common Security Threats That Target Human Error
Cybercriminals have had decades to develop their strategies for obtaining sensitive data. They constantly adapt to changing digital trends and human behavior. One thing that unfortunately remains constant is that humans continually make the same mistakes over and over again, even when they are warned of specific dangers.
Social engineering allows cybercriminals to personalize their attacks in a way that makes them more believable. Many people have a large amount of personal information available online, including on business and school websites, online phone books, and most importantly, social media. Hackers can utilize this information to create targeted and personalized attacks.
Some common tactics cybercriminals use include:
- Phishing – This is one of the most well-known tactics that cybercriminals use, but despite constant warnings, people still fall for these email or text message scams every day. Cybercriminals have used social engineering to make their phishing attempts increasingly more believable and personalized, and anyone could be vulnerable. Early phishing attacks often asked the recipient to send money via wire transfer, which most people now recognize as an immediate red flag of a scam. Today, a phishing email or text message may include a link to a fake login portal, which allows the hacker to collect the username and password you provide, or the message may appear to originate from a trusted individual or company.
A common sphishing tactic is to direct the recipient to call a phone number that closely mimics a real business’s phone number. A “realistic” customer service agent answers and may ask for login credentials and other personal information. In some cases, these agents may even convince the caller to grant remote access to a computer, phone, or another device to provide “tech support”.
You might think you or your employees are too smart to fall for these scams, but cybercriminals try to create a sense of urgency or emotional response that even the most tech-savvy individuals may fall for if they are not careful.
- Using social engineering to guess credentials – Creating a strong password is essential to cybersecurity, yet many people ignore this advice. Passwords such as “password” and “123456” are still extremely common. However, cybercriminals can use the information people share on social media through posts, photos, quizzes, and questionnaires to guess more personalized passwords.
For example, if you made a post about adopting your dog Bingo in 2019, hackers can now easily guess variations of Bingo2019 as potential passwords. The more information you share on social media, the more clues cybercriminals have to guess your passwords.
- Data available on the dark web – Even if you haven’t shared much personal information online, cybercriminals still have ways of obtaining data. At this point, most people have probably been affected by some type of security breach, which means their information could be available on the dark web. Cybercriminals can use data from multiple breaches to create a profile of an individual to develop more targeted attacks.
One major issue is that people often use the same login credentials for multiple websites. If someone’s password for one account is available on the dark web, cybercriminals can often gain access to other accounts by simply using this same password.
Assess Your Risk
Even if your company has a minimal number of employees, there are often people and other parties who have access to data and may pose a risk to cybersecurity. You should fully vet all third-party contractors or vendors who collect or process consumer data, provide technical support or accounting services, or otherwise have access to your network. If these parties have lower data privacy standards or their employees are not well-trained in data security, they can become a major risk.
Even outside individuals who physically enter your work environment, such as custodial staff or delivery workers, can pose a threat if they gain access to a computer or sensitive information sitting on someone’s desk.
The best way to assess your risk is by completing a comprehensive privacy assessment that identifies areas to improve technology, policies, and the way people access and use data. Once you are aware of the gaps in your company’s cybersecurity, you can begin to take meaningful steps to improve.
Providing Meaningful Training for Employees
Cybersecurity is a complex topic, and no one can expect their employees to become experts on the subject. However, most businesses have room for improvement when it comes to training employees on basic data privacy and security practices.
The average data security training modules often used for onboarding or as annual training may not be enough to keep employees engaged in protecting data privacy. Whether they admit it or not, many employees quickly click through these modules and will not retain the information given when they need it the most.
Businesses need to implement new strategies to draw your employees’ attention to data security. Training could come in the form of funny memes, short video clips, or even sending out mock phishing emails to gauge who might be likely to click on links in a suspicious email. Sometimes even a quick email reminding your employees that they should be diligent will heighten awareness and decrease the likelihood of data loss.
Reducing the Risk
With the proper tools and adequate training, your employees can become an asset in protecting your business from cybersecurity threats. Cybercriminals rely on the fact that most people will keep making the same security mistakes over and over again. By making cybersecurity a top priority in your business, your employees will learn to avoid those common mistakes and therefore avoid many of the threats that are so common today.
Developing a cybersecurity plan may feel overwhelming, especially among the many other responsibilities of managing a small business. A comprehensive privacy and security program such as uRISQ can help you navigate these challenges and implement new technologies and policies that can make your business stronger than ever before.