A recent article from TechBeacon.com shares some sobering facts about the threat cyberattack poses to businesses of all sizes. If you’re a business owner, you may want to stop and consider the following statistics from the article:
- Organizations experienced an average of four attacks over the past year
- 65 percent of security pros expect to have they will have to respond to a major breach within the next year
- External hacks cause 52 percent of breaches while insider attacks account for 34 percent of breaches
- Business email compromise (BEC) incidents led to 20,373 complaints to the FBI and over $1.2 billion in losses due to fraud
- For organizations with over $1 billion in revenue, it costs an average of $4.6 million to recover from a cyberattack
A single cybersecurity breach can cause staggering damage to a business beyond the cost of remediation. Other detrimental effects include the loss of customers, decreased sales, reputational damage, and legal consequences.
But what’s the biggest takeaway from 2019 cyberattack statistics for business owners? Employers should know that 90 percent of data breaches are caused by human error. In turn, employee awareness is a key component of cyber defense and is as important, if not more, than the other security technology and tools used by organizations.
Areas of Education
If you own or operate a business but don’t have a cybersecurity background, you may not know the best way to educate your employees about online threats. When forming your employee cyber defense training, you’ll want to consult an enterprise cybersecurity expert and include the following topics in your training curriculum:
- Email Scams- Phishing attacks are the most common method that cybercriminals use to gain access to an organization. They trick their victim by appearing as a trusted or important sender or scamming them with a false incentive or creating a sense of urgency.
Phishing emails and text messages manipulate users into giving away personal information. They may try to steal passwords, account numbers, or other personally-identifiable information (PII). Employees should know how to examine emails for inconsistencies in an email’s header and body and examine links to see if the message is fraudulent.
- Password Security- Poor password security is one of the biggest threats to enterprise security, but proper password management is also one of the easiest protocols to enact. Password policy dictating the length and makeup of strong passwords and mandated periodic changes can go a long way in preventing hackers from accessing the network.
- Safe Internet Habits- Unsafe internet actions include downloading software from unknown sources off the internet and the risks of entering credentials into spoofed websites. Make clear rules and guidelines for internet use using the company’s devices and network.
- Malware Awareness- Employees should understand the common delivery methods and the threats around suspicious files in email, the importance of keeping antivirus running and up to date, and escalation procedures if the system is compromised.
Setting the tone from the top is vital in creating a meaningful employee cybersecurity awareness program. The foundation of an effective program is a comprehensive cybersecurity policy with clear expectations and instructions for all contingencies. New hires should have awareness training as part of their onboarding process, and existing employees should go through annual training, at a minimum. Additionally, posters and signage and periodic updates from the IT team should help reinforce proper behaviors.
When educating your staff about cybersecurity, you should also remind them what’s a stake. As Securitymagazine.com demonstrates, cybercriminals often pursue the following digital assets:
- Personal Data- Personal information such as medical records, credit card information, social security numbers, and bank account details are all commodities that are easily sellable on the dark web.
- Computing Power- Hackers can take over business computers and internet of things (IoT) devices and use that power to create a pool of bots to perform a distributed denial of service (DDoS) attack against another target.
- Backdoor Access to Larger Organizations- By breaching a more vulnerable or smaller organization, cybercriminals can find ways to gain access to the larger organizations they work with.
- Ransome- In many cases of ransomware, the victim agrees to pay the ransom demanded from the hacker.
Next, employees need to familiarize themselves with the most common cyber attacks enacted on businesses. Prevalent strategies of attack include:
- Distributed denial of service (DDoS) attacks
- Social engineering
- Advanced persistent threats (APT)
- Living off the land attacks
- Insider threats
Out of all these forms of attack, ransomware is often the most profitable for hackers. One of the characteristics defining ransomware is its ability to breach a network through a vulnerability—typically when a user clicks a malicious link or attachment that then installs itself on the system. Once the data files are compromised, the system displays a demand for ransom and instructions on how to pay to secure the key code that will unlock the data.
As previously mentioned, insider threats also account for many devastating hacks. Professional cybercriminals or corrupted employees conduct sabotage, theft, fraud, and espionage against the organization they work for. Insider threats typically persist over time and occur in all work environments.
Investing in Employee Education
Cybersecurity is not a luxury but a necessity. For most businesses, the investment in cyber defense and awareness education will cost significantly less than a successful hack attack. Your defense’s foundation lies with the training of your employees to act as good stewards of technology. Awareness and vigilance against cybercrime, combined with a strong overlay of technology, is a recipe for your business’s safety and success.