Whoever said “There’s no such thing as bad publicity” never anticipated the fallout from an organization announcing it has lost 30 million customer credit card numbers to a hacking group, or paid thousands of dollars in ransom to avoid losing vital digital records.
Companies are taking cybersecurity more seriously than ever, but for all the technical investments being made, a 2017 report by law firm BakerHostetler illustrates that there is no silver bullet that will solve this problem. The reason? People are still the weakest link in the cyber security chain.
The firm’s study showed that 43 percent of the incidents it handled for clients were the result of threats that arrived in an email inbox or resulted from careless browsing, including phishing, hacking and malware attacks. Thirty-two percent of incidents were chalked up to an employee action or mistake. Eighteen percent of incidents involved a lost or stolen device or records. (You left your laptop where?)
Because these forms of attack are so successful, hackers continue to increase the frequency and sophistication of ransomware, says Simon Arnell, chief security technologist for DXC’s office of the chief technology officer. In a recent paper, he notes that ransomware is being used as a cover for more nefarious purposes. Ransomware can be used to render endpoints unusable or “bricked,” so it can be used to cover larger data thefts. Another form of ransomware referred to as “doxware” threatens to publish personally sensitive information unless a ransom is paid.
Organizations can take proactive steps to better resist these types of attacks, detect them more quickly when they occur and minimize their impact. Many of these steps center on a similar theme: making systems more resilient by making people more resilient:
- Make cybersecurity awareness a top training priority. When employees aren’t aware of threats, they won’t know how to avoid sparking an incident. Training employees to recognize the clues evident in most fraudulent emails and testing them periodically with “fake” phishing emails will help identify those who need additional training.
- Alert employees to avoid responding to any email requests for personal information, such as W-2 forms. Any request for sensitive data should be confirmed by telephone or require an in-person request. Employees should never ask for confirmation by replying to the original email.
- IT departments can stay on top of the latest threats by becoming part of information-sharing programs such as those sponsored by the U.S. Department of Homeland Security. More information on these programs can be found at www.dhs.gov/topic/cybersecurity-information-sharing.
Computer networks, systems and software are the products of human endeavors and are used by us as well. There will always be potential weaknesses and exploits for threat actors to attack. This means companies need to take every step to build resiliency, employ the latest technologies and be prepared in the event a system is compromised. But as the BakerHostetler study shows, the best way to reduce the chances of an attack may be the investments we make in preparing and educating ourselves.