As we end 2019, Cyber Risk Aware CEO and founder, Stephen Burke, looks back on a year that has seen a 54% increase in data breaches, and argues that we need to go back to basics in order to protect ourselves.
With sensitive and financial data compromised, there have been catastrophic effects on individuals and businesses alike. Even the largest of organisations with IT budgets that run into the $100s of millions have had their systems breached. You don’t need large sums to fight against cybercrime in 2020, just a back to basics strategy tackling the real vulnerability within an organisation - human error.
Throughout the year, we’ve seen attacks on large companies such as Capital One and British Airways, as well as information held on cloud systems by Verizon Communications Inc, GoDaddy Inc., and even the U.S. Department of Defence, all having been breached. Business leaders are widely criticised and held accountable for failing to protect their consumer’s data especially in the light of the vast IT and training budgets that are at their disposal, yet it is the daily performance of front-line staff that reveal the true strengths and weaknesses within any organisation.
Over 90% of data breaches are caused by human error and seemingly technical secure networks with tens and sometimes hundreds of thousands of pounds invested in state-of-the-art information security tools, can be undone by lack of understanding, poorly configured servers or an absent-minded click on a phishing email. A hacker only needs to gain access to one user’s account, to then gain control and access the compromised network and data. If the staff members and users aren’t proactively prepared for the ever-changing security challenges, an organisation is left perilously exposed to the constantly evolving and subtly sophisticated techniques of hackers and cyber criminals.
Hackers are also targeting servers that haven’t been set up correctly, giving them access to sensitive data with minimal effort. Cloud based systems such as Office365 don’t have multi-factor authorisation, or web-based systems that are not patched result in vulnerabilities that can be exploited. Also, hardware such as firewalls can be configured incorrectly, or poor security settings on individual devices, can lead to loopholes and massive network vulnerabilities.
Next year, we will also see an increase in IPhone malware like Pegasus and a continuation of Android malware which has always been present. People tend to think their phone is secure, but it is a computer like all others and contains personal and work information, digital identities, passwords and bank account access. Cyber criminals target people and are increasingly going after the phone - the smaller screen lends itself to easier access using phishing emails and SMS phishing especially, which can compromise whole organisations.
In the year ahead, all companies should stop over-thinking security when it comes to cybercrime. They need to get back to basics and do those basics right. They should focus on staff first and foremost to be the first line of defence.
Business leaders should see cybersecurity as a real business risk, not just a problem for the IT department. The criminals know that people are the easiest target and yet even some of the most savvy businesses are not helping their staff defend their own networks.
The FBI recently reported that Business Email Compromise (BEC) and Email Account Compromise (EAC) have cost organisations globally more than $26 billion since 2016. If these emails are getting through, the staff need to know how to deal with them. This can only be done by implementing mandatory cyber awareness training. The most effective training of all is real-time simulation training that shows attacks as they would happen and how to deal with them. Training should be regular and ongoing as staff come and go and attacks vary.
If cybersecurity is on the C-suite’s risk register and elevated in importance within an organisation, with accountability taken out of the hands of the IT manager and placed at board level, then that organisation will ultimately be better protected, more secure and ultimately more competitive.
A lot of organisations think that training processes are complex and difficult to integrate, but tackling the human problem is easier than you think. There are tools and platforms that are simple to deploy and at a significantly lower cost than expensive enterprise software solutions. A real-time training platform offering courses, education and knowledge assessments combined with simulated phishing attacks and policy dissemination is the ideal solution to building a cybersecurity awareness culture - a critical step to every organisation’s defence against attack.
Cybersecurity is not a quick fix. Criminals will keep coming and it is today’s business leaders’ responsibility to treat this as a real and severe risk. In 2020, companies wanting to stay ahead of cyber attack trends need to look to build a human firewall that, in turn, protects the technical firewall.