Cybersecurity: Educate and Motivate Staff to Be Careful

Posted on 05.08.17

Cybersecurity: Educate and Motivate Staff to Be Careful
  1. According to Trend Micro, 91% of cyberattacks start with a targeted “spear-phishing” email. [1]
  2. The FBI found that from October 2013 until February of 2016, roughly two and a half years, that $2.3 billion was stolen from 17,624 corporate victims in business email compromise scams that convince individuals with wire transfer authority to send money to a fraudster. [2]
  3. According to IBM, security awareness training is the 3rd most effective measure to contain costs should a breach occur. [3]

The end user continues to represent an access point for attackers.  Spam filters, firewalls, anti-virus and other technological defenses can and do help, but they are far from perfect.  Hackers and scammers are constantly creating attack vectors that beat security to get access to organizational staff and systems.  Every employee should be aware of the technological limitations and the potential costs of a security event to an organization.

Most employees are unaware of the technological limitations of cybersecurity, and proceed under belief that cybersecurity is not their job.  By the time an email gets to their inbox, it must be safe, and if it isn’t, it’s someone else’s fault.  Likewise, if a website isn’t blocked, it must be safe.  These are, of course, dangerous assumptions to make.

A good security awareness training should have two goals:

  1. Inform staff of the threats that they are most likely to encounter
  2. Motivate them to stay vigilant for attacks

One effective way to motivate staff is to personalize the costs of the breach, which may include their own identity theft, lost jobs, and fractured friendships.  Staff must feel personally invested in your organizational cybersecurity.  Everyone plays a role, and the more staff that consider themselves part of your security apparatus, the less likely you are to suffer a breach

Actionable Steps

  1. In policy, require that all new staff obtain a security awareness training.
  2. Perform security awareness training for all staff periodically.
  3. Mount simulated email-based attacks against employees to assess their abilities and provide continuous training.
  4. Periodically email security updates to ensure staff remain aware of the latest threats.
  5. Reinforce the importance of vigilance at company meetings.

The content in this article covers just one aspect that small to mid-size businesses need to address for Cybersecurity. Download the entire whitepaper below to access additional Cybersecurity suggestions.

Download Whitepaper

 

 

…………………..

Posted by: Christopher Moschella, CPA, CISA

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog