The Weakest Link in Cybersecurity
by Bobby Garrett, Gray, Gray & Gray, LLP
It might already be glaring at you from your computer screen
Cyberattacks are increasing in frequency and sophistication. The targets of these attacks are not necessarily billion dollar corporations – half of all cyber incursions occur at small and mid-size businesses. Thieves are particularly attracted to companies that may have a customer list that could be hacked, making fuel oil and propane marketers an appealing target.
At risk are not only your company’s data, but any customer data and personal information you may have. This could be as clear-cut as a credit card number, or as seemingly innocuous as an address list you maintain for fuel deliveries.
When it comes to protecting information about your company and customers from cyberattacks, you want to be sure you deploy robust detection and prevention methods, including firewalls, enhanced system and network monitoring, secure networks and powerful encryption. But to be truly effective your defenses must start with the weakest point: your people.
A study by consulting firm Willis Towers Watson found that about 90 percent of cybersecurity breaches are due to human error or behavior, either employee negligence or malicious acts. In most cases it starts with an email. The simple act of an employee unwittingly downloading a corrupted file could release malware into your network, causing untold disruption, damage and costs.
More ominous is the increasing prevalence of “spear-phishing,” the fraudulent practice of sending emails from an ostensibly known or trusted sender in order to induce targeted individuals to reveal confidential information. If a staff member blindly opens and responds to a spear-phishing email requesting personal information because “it looked legit,” that could open the door wide to cybercriminals.
Train Your Way to Security
The only way to help prevent such unintentional, yet destructive actions is by promoting cyber literacy among your staff. Conducting training sessions that educate employees on recognizing threats, using approved software, and applying strong passwords is the most important security investment you can make.
The need to educate employees on cybersecurity is magnified by the move to a remote working environment. Whether your company’s work-from-home endeavor is a temporary measure made necessary by social distancing in the COVID-19 pandemic, or a permanent initiative designed to create a more connected and streamlined workforce, the cybersecurity threat associated with remote work is significantly higher than that posed in an office environment protected by
defenses such as a shared firewall.
Digital security workshops that help companies raise the level of awareness of personal responsibility in preventing cyberattacks, phishing, and malware intrusion may focus on three critical components of individual behavior:
- Recognizing Threats – Stressing heightened alertness through the Employee Security Awareness training system. Potential thieves count on being able to fool a user who is not vigilant and watchful.
- Confirming Identities – Training employees to confirm the legitimacy of any request for information or data, and on the need for reporting any potential scams to IT. Employees should be skeptical about data requests and look for clues that an email might be “spoofed.”
- Protecting Sensitive Information – Practical application of strong passwords and leveraging password management tools to secure files and protect sensitive data. This includes a consistent use of two-factor authentication, a somewhat annoying process that offers a strong defense against intrusion.
Training should not end with a single session. Regular updates on emerging cyber threats are necessary to ensure heightened awareness. Surprise tests to help ensure constant alertness also contribute to maintaining employee awareness. Training providers should conduct regular, unannounced phishing tests to help identify those staff members who are not following established protocols and are opening the company up for a data breach. Embarrassingly, many times the culprit is the company owner.
Cyber literacy training has the added benefit of showing employees that they are appreciated and that you are meeting their professional development needs. Providing the tools necessary for mastering the rapidly developing technologies that they must deal with every day might also help with employee retention.
Just in Case … Back Up!
The growing sophistication of cybercriminals means that even the strongest defenses may eventually be pierced. To mitigate the damage that may be done, you should always, always, always back up company data as frequently as possible. Hourly is ideal, daily is good, and weekly is just about a must. Do not back up data to an onsite server or device. Cybercriminals are sly and patient and have taken to infecting backup devices as well as main servers.
Instead, secure encrypted space on a cloud server for the best protection and access for recovery. Have a disaster recovery plan in place to retrieve your stored data so you can get your system up and running again. There are even companies that provide “disaster recover as a service” programs to help minimize delays.
Bobby Garrett is Director of IT & Cybersecurity at Gray, Gray & Gray certified public accountants. He can be reached at 781-407-0300 or firstname.lastname@example.org.