The advent of new technologies such as cloud computing, big data, artificial intelligence, and the Internet of Things have made today’s IT world a lot different than what it was a decade ago. As the technology has been evolving substantially, so have the cyber criminals, with attacks getting increasingly sophisticated.
The pandemic’s role in pushing companies of all sizes and sectors toward adopting an always-online mode and cloud and other cyber technologies is accompanied by a whirlwind of scams and fraudulent activity hitting companies in 2020 and 2021 with cybercriminals targeting employees’ access to the organization’s systems.
In this time of digital disruption and increased cyber threats, many companies are focusing their cybersecurity efforts on the technology component—to the detriment of the human factor. When data is compromised, often it’s tied to negligence or failure in the cybersecurity system within the company or from a third-party working with the company.
First line of defense: Employees
It is imperative that companies focus on building and sustaining a culture of cybersecurity and cultivate it in the workplace for effective cyber risk management. This would entail moving beyond the typical strategy used in which most businesses simply allocate a certain portion of their IT budgets or revenue to security without considering their actual needs. The approach must include helping employees realize that the risk is real and that their actions can have an impact on increasing or reducing that risk. Companies’ cybersecurity blanket must also include third-parties and others on their IT architecture.
Effective cybersecurity necessitates a persistent effort that covers employee behavior, third-party risks, and numerous other potential vulnerabilities in addition to application security, penetration testing, and incident management.
Enterprises spend millions of dollars on hardware and software but may neglect the simple act of properly training their employees on security practices. Teaching employees to recognize threats, curb poor cyber behavior, and follow basic security habits can provide the best return on investment. However, the benefits can be difficult to measure and therefore justify the expense. Trying to quantify the return on investment in employee training and building a culture of security can be difficult to sell to upper management. In many cases, management may not believe that just training their employees can reduce their exposure to cyber losses.
An example of cyber-attack using the employee route is phishing emails. In fact, 90% of data breaches start with a phishing email, according to a threat trend report by an IT major. Yet most employees believe they would know how to recognize a phishing email and would not act to the request in the email. However, at least one person clicked on a phishing link in around 86% organizations, finds the threat trends report mentioned earlier. With nine out of 10 ransomware infections coming from some form of phishing event, investing in employee training about phishing emails and other methods can reduce risk significantly.
We need to understand that in any system, humans are the strongest asset but can also be the weakest link. Security culture is primarily for the humans, not for the computers. Hence, it is important to instil the concept that security belongs to everyone by creating programs that cater to region, department, and role so that people understand that security is part of the organization’s culture.