I’m sure you’re thinking “I’ve already been spending hard earned money on equipment that is keeping me safe, why would I do anything else?”
The reality of cyber crime in 2019 is far different from when it was first emerging 10 or even 20 years ago. Way back in the early 2000’s, the extent of a crime might be simply someone interested in testing the boundaries of what they could do or where they could access online.
Maybe someone was looking to maliciously use data, such as credit card numbers or other personal information to impersonate your identity, but channels to accessing this data were less talked about back then compared to today.
While technology such as firewalls and spam filtering have made theft and security less of an issue over the past years, criminals are evolving with technologies.
Your antivirus is pretty much incapable of keeping up with the workarounds from budding 12 year old cyber hackers, intent and passionate about figuring out a way in. You see, the defenders—those designing technology that searches and destroys malicious code—are reacting to actions of true criminals that are hungry and passionate about what they are doing.
The defender is merely looking, observing and recreating the attacks that other masterminds have already identified or set forth.
What many of the defender-types are not doing is creating new attacks and helping organizations like yours immediately defend against them.
What they are also not doing is evaluating how these criminals are getting into networks. As more and more technical barriers were essentially complete roadblocks from accessing sensitive data and other lucrative information, these criminals had to craftily find other means to getting into your network undetected.
One of the biggest jackpots was through your users.
I’m sure I come off as a broken record amongst other blogs that you’ve read on cybersecurity recently—in particular to a call for more training and user-focused participation in the cybersecurity process of identifying threats, being aware of what to do in the event of a phish or attack, and being a part of the process in making sure the rest of the team can learn from any events or near-misses.
While businesses are investing in cybersecurity technology, the majority—nearly 87%—fail to attend to more human sides of the issue, which include things like emotional campaigns, social engineering and accountability, among others.
More and more today, cybercriminals are performing attacks on your organization through phishing attacks, phone calls, and data recognizance missions. They are first trying to gain trust and credibility with you as to who they say they are. They then leverage that trust to gain access into the depths of your network and systems (getting around in-place technology meant to defend against such attacks).
Now, don’t get me wrong—criminals ARE still very capable of designing technology that can bypass defenses on your network. BUT, they are mainly using human-sided attacks on real human emotion to bypass most of the big security blocks. After talking their way through the security guard and locked doors, all they have to do is evade antivirus or other reactive detection tools—many of which are not integrated completely into process, ultimately failing to detect in real time, as many might expect.
That’s why a culture of cybersecurity is a critical component of your defenses in 2019. If you and your team do not understand your risks—including the vulnerabilities in technology on your network—you are never going to have a network that can prevent the next big attack.
BUT many cybersecurity experts have pinpointed two exacting reasons why you may not have a cybersecurity culture or why if creating a security-focused culture, you might ultimately fail at protecting your network:
Lack of employee buy-in—first and foremost, not all organizations make clear that every single individual has a role to play in the organizations cybersecurity culture. I’ve found that awareness runs high across technology-focused teams (not always), but lacking in many other departments.
The lack of team member buy-in is one of the major reasons your organization might climb an uphill battle instilling a cybersecurity culture within your workplace.
In recent studies, nearly 50% of employees never received security training. 96% say their passwords to critical data are “easy to remember”.
Why is this? Traditional security training is made up of bland instructional videos and PowerPoint slides. When was the last time you really ‘dug’ the information from a security training?
Without more interactive and engaging ‘learn from experience’ and ‘learn to get your feet wet’ experiences, your team may not even see where there are problems within your processes, technology, or people, all of which could be leaving you at risk of a cyber event.
Lack of executive buy-in—I like the saying ‘the fish rots from the head down’. What I mean here is that if you, as an executive team, is not participating actively in following the same security procedures as the rest of the team (I know some of you really hate changing your passwords), you might be setting that example for everyone else.
Experts often see leadership and management excluded from security efforts for one reason or another. They don’t have to go through as many hoops as others to access the same data. The scary thing is they are the bigger targets of criminals (yes, since you are more visible faces on your website, you will be bigger targets when it comes to cyber crime.
Make sure you are learning about what your risks are, evaluating your network, abiding by security-related policies and procedures and encouraging your teams to identify potential problems or voice their concerns when it comes to improving your data security.
Make it easy to report threats and reward those that speak up (in the long run, it’s probably better to encourage folks to be on the safe side than not saying anything at all).
