As the threat of cybercrime continues to rise, many companies are deploying advanced cybersecurity technologies to fend off attacks. However, their biggest security risk could be within their own walls.
People-based cyber attacks, such as malware and phishing, cost Canadian companies an average of $12.1 million in 2018, according to the 2019 “Cost of Cybercrime” study by Accenture and the Ponemon Institute. Globally, six in seven companies (85%) experienced phishing and social engineering cyber attacks in 2018—a 16% increase over 2017—and three-quarters (76%) suffered web-based attacks.
The fallout from cyber attacks is far reaching. “All it takes is for one employee to click on a malicious link or attachment and the entire company could be brought to a halt from ransomware,” says David Greenham, vice-president at accounting and consulting firm Richter. “Depending on how good or bad the organization’s data backups are, this could result in lost revenue, lost productivity, loss of customers and damaged reputation. In some extreme cases, the company could actually go out of business if they can’t recover their vital data.”
With employees increasingly getting duped by cybercriminals, there’s clearly a lot of work to do. While 75% of Canadians feel they are prepared to handle cybersecurity attacks in the workplace, 60% say they have not received any form of cybersecurity training, according to the “The Digital Citizen” study by IT solutions provider Scalar Decisions.
“Traditionally, cybersecurity in organizations is treated as a technology approach—they feel the easiest way is to deploy a solution and then they don’t have to worry about their employees,” says Theo Van Wyk, chief technology officer at Scalar. “But the reality is the majority of breaches that we see today involves the human element ... The hackers realized a long time ago that the employees themselves, as people, tend to make mistakes.”
Greenham believes cybersecurity awareness training is one of the most important initiatives a company can adopt. “Humans are often called the weakest link in the security chain, which makes it vital that they receive proper training on how to identify and report threats or potential security problems,” he says.
Attackers often target employees using social engineering to get the desired response from them, such as clicking on an attachment or providing the attacker with information they otherwise shouldn’t have, he adds. “Awareness training can help employees be more skeptical and think twice before clicking on those links or attachments, and to question when a request doesn’t feel quite right.”
HOW TO TRAIN YOUR HUMANS
To prepare for a cyber attack, businesses need to arm their employees with the skills and knowledge to recognize and report threats. Here, cybersecurity experts offer their training tips:
Make it relevant: Cybersecurity training should be tailored to employees’ specific job functions. “We see a lot of generic training material out there and it doesn’t always hit the mark,” says Van Wyk. “Make sure employees in roles that leverage sensitive data, for example, have training that’s tailored for them to understand the threats they may be facing and how to use the tools that are available to them.”
Don’t set it and forget it: “Some companies may do as a one-off effort, but it should be something that’s done year over year to reinforce the message,” says Greenham. He says employees should be trained at the time of hire and then participate in annual refreshers to keep security top of mind.
Train for different environments: Whether it’s online, email or the cloud, employees should be aware of the risks specific to each environment. “There needs to be an understanding of how employees should interact with different devices and different environments,” says Ali Ghorbani, professor of computer science at the University of New Brunswick and director of the Canadian Institute for Cybersecurity. “They have to be knowledgeable enough to know where and how to click, which websites they can go on, and which websites could be compromised or phishing websites.”
Make it engaging: As serious as cyber attacks are, awareness training can incorporate a bit of play to make it more engaging for staff. For example, employees can be assigned a score based on how well they do in their training, and on an ongoing basis, they can earn scores for reporting certain threats and attacks. “It creates a community of security awareness ... as opposed to just training and a certificate goes on a cubicle and people forget about it until the next training session,” says Van Wyk.
Don’t over-train: “There is a danger in over-training,” says Van Wyk. “If you train too much on the same type of content, people just become stagnant, they start ignoring the threats.” While training frequency may look different at each company, Greenham says, “You have to draw the balance between bothering employees too much and not enough.”
Stay on top of threats: New threats emerge all the time and it’s important to inform employees as quickly as possible. “Give them the digested version so they know how to deal with it,” says Van Wyk. “For example, if there’s a new phishing email that is seeing significant success, it’s understanding why is that attack so successful and what are the key things that I can train my employees on to detect and avoid that.”
This article appeared in Canadian Grocer’s November issue.