Cybersecurity has a People Problem

Cybersecurity isn’t a perfect science. The best defenses often rely on defeating known attacks. But bad actors are creative, always searching for new ways to exploit any weakness. And they’ve found one that works time and again – targeting people.

The most common initial attack vector reported in a recent IBM study is stolen or compromised credentials, responsible for 19% of breaches. The next most common attack, at 16%, is phishing, a technique where emails, calls, or text messages by someone posing as a legitimate institution lure others into providing sensitive data, banking and credit card numbers, and passwords. What do both attacks have in common? People.

As a business owner, you count on your employees to be the first line of defense against cybersecurity attacks, protecting access and data, recognizing when something seems off, and reporting anything suspicious. Yet the IBM study also revealed that this year, phishing cost companies $4.91 million on average and compromised emails $4.89 million. These are numbers that clearly indicate the problem isn’t just confined to small businesses; astronomical losses at large organizations are more than many smaller firms are worth. And again, the common denominator is a weakness in the front lines, people.

What can a Main Street business do to shore up its employee defenses? Focus your efforts in four areas to enhance your security posture where it counts – with employees.

Awareness and Training

We recommend quarterly cybersecurity training for all employees, even those who may not use a computer or have access to systems at work. The reason? Awareness. If you don’t know what attacks look like, you are more likely to fall for them, at home and at work.

Helping employees develop best practice screening techniques, like checking an email address to see where a message is coming from, and how to determine if they can trust links in an email or text, is the first step. It’s not enough to recognize security issues, though; employees also need to know how to respond and whom to tell if they see an attempted attack.

Training modules for employees are part of Periculus’ Security Subscriptions and Risk Concierge because we firmly believe knowledge is power.

Policies go hand-in-hand with training. These “rules” for conducting business can apply specifically to security protocols, spelling out how employees can use digital tools, email, and even internet access to protect the company. While writing operating policies is often DIY, you may wish to look at the policies of other companies or those recommended by cybersecurity pros to ensure your policies are robust enough to protect your assets but not interfere with employee productivity.

Testing and monitoring

Learning about attacks is one thing, but actually facing them is quite another. That’s why smart businesses test their employees with real-world scenarios and practice what to do in case of an attack, breach, or ransom. Fake phishing emails and test calls provide a way to gauge the effectiveness of your policies and training and to observe what employees will do when faced with a security issue. We believe practice makes perfect.

Similarly, although you may have trained your employees, you’ll still want to monitor system access and activities to ensure digital resources and communications are being used appropriately.

We’ve found it doesn’t matter what your policies read if you’re not enforcing them. Testing and monitoring ensure that your employees not only understand the policies but that they are well-equipped to protect your business.

Background Screening

If you’re about to trust someone with your customers and revenue, then it’s important to verify their credentials and background. Employee screening is widely utilized by large companies but often ignored by smaller ones. With the risk involved in cybersecurity, that needs to change. You can scale the kind of background screening you conduct depending on the position and level of access or exposure each employee has. Typically, screenings include verifying information the employee has provided, like education and employment, and also looking at criminal history, credit, and social media.

We recommend rescreening annually – on the employee’s start date anniversary or their birthday. Continuous screening, and regular check-in conversations allow employers to be aware of any changes – good or bad – that could impact the ability to do the job and protect company data.

Check ins also provide the opportunity for managers and owners to make sure that employees feel valued and well cared for. Retaining good employees is far easier than recruiting, hiring, and training new ones.  

Company Culture

Fostering a security culture in a business of any size starts at the top. Having leaders demonstrate the value of company data and the role of individuals in protecting customer and employee personal information is critical.

Culture is woven into cybersecurity policies as well as company norms. Take this example that a client shared: They received a one-line email from a colleague with a link. The format raised red flags, but the email address seemed legit. A quick call to confirm the email was met with friendly reassurance and gratitude. That response reflects a culture that values security.

Another hallmark of a security culture is a willingness to look out for others. When a client sent out a phishing email to test employees, they were delighted that many employees not only deleted the email without responding, but several also called their manager to let them know the company was potentially being targeted for an attack. Responding to such efforts with praise and reinforcing the defensive behaviors not only signaled a successful test, but also a healthy security culture.

Solving the people problem in cybersecurity is more of an art than a science – different techniques will work for different companies. The best advice for small businesses who need to boost their security profile is regular training, monitoring and testing to reinforce policies, background screening, and developing a security-minded culture.