It’s a connected world, fueled by a connected workforce whose organizations live and die by their data. Now that they can plug-in from any device, traverse cyber-space, and communicate via email, IM, or VoIP, older employees forget they haven’t always worked this way. But Phil Bickford contends that the current digital age — marked by the mainstream adoption of technology, emerging social media, and mobility — is only around 15 years old. How mature, then, can workplace cybersecurity awareness be?
Not very, according to Bickford, whose 2018 CyberCrime Symposium session explored workplace cybersecurity awareness based on findings from MedioPRO’s 2018 State of Privacy and Security Awareness Report.
“From a young age, we’re taught to avoid strangers and similar fight-or-flight lessons, but nobody trained us to be cyber-aware,” said Bickford, a senior technical product manager at MediaPRO. “Unfortunately, the only cyber-training people get tends to be in the workplace.”
That’s a hefty burden for employers to shoulder. Nonetheless, they’ve got to better manage cyber-risk, as breaches escalate and tougher laws, like the GDPR, crack down on privacy violations. To that end, Bickford presented survey data on specific threat vectors, primarily email, the threat types exploiting them, and pulled that together to help attendees create engaging cybersecurity awareness programs.
Don’t Show Them the Money
In his opening remarks, Bickford noted the sizeable number of attendees representing the finance sector, joking that that he might need security to ensure his safety after revealing the 2018 report’s findings.
Here’s why: Of the seven industries covered, the finance sector scored lowest in cybersecurity awareness. While 75% of employees across all industries lacked sufficient cybersecurity and privacy knowledge, that number jumped to 85% for employees in financial services.
However, Bickford was quick to point out mitigating factors. “Finance is the leading cyber-crime target, due to its valuable financial data, personally identifiable information (PII), analytics insight, and intellectual property,” he said. “Criminals that exploit email as a threat vector hit the financial sector the hardest.”
Risky behavior impacting personal data security isn’t limited to entry-level employees. In fact, said Bickford, MediaPRO analysis shows that managers and executives represent a higher cyber-risk than lower-level staff.
When tested on their email threat knowledge, just 53% of executives could define “business email compromise” (BEC) — and they’re the direct target of these effective exploits. Since 2013, said Bickford, BEC has been responsible for financial losses of $12.5 billion. In “CEO fraud” attacks, cybercriminals employ social engineering techniques using personal information found in social media and other sources.
After crafting messages that sound authentic, they spoof the CEO’s address and send the email to an assistant, instructing them to transfer funds into an account, or send them sensitive documents.
The Many Faces of PII
Cyber-educated employees know personal data when they see it and the best ways to protect it. Most respondents identified social security numbers and birthdates as PII. However, some had trouble with higher-hanging fruit.
To illustrate, Bickford cited a survey scenario involving password hint disposal. Almost 60% said they’d throw the slip of paper with the hint in the trash. “With the hint’s help, an employee who knows that co-worker could guess their computer password to gain access to all kinds of personal information,” said Bickford. Therefore, “employees should treat password hints as secure items, covered by privacy protections.” In other words, bring on the shredder.
Tips for Raising Cybersecurity Awareness
It’s senseless to invest millions or even billions in security technology without proportionate spending on cybersecurity awareness programs. The workforce requires comprehensive, ongoing education and training in cybersecurity and data privacy, so they internalize best practices. Make it fun, said Bickford.
See Something? Say Something.
Given the stakes, smart CISOs foster a sense of teamwork, making it clear the employees are part of a “cyber-family.” Beyond following best practices and the organization’s own policies — whether they’re in the office or working remotely — employees contribute by reporting all security-related incidents, even if they only suspect malicious or negligent activity.
In a cybersecurity and data privacy context, incident reporting covers a lot of territory. Incidents include phishy email, wonky browser behavior, website redirects, and sluggish computer performance.
In the 2018 report, 20% of respondents failed to report a mix of possible threats, including some that put privacy at risk. While such failures might be attributed to poor knowledge or training, Bickford said that often, IT teams see low incident reporting because they haven’t mapped reporting processes or designated an IT contact for different departments.
“Someone working in a corporation with tens of thousands of employees probably doesn’t have a clue who to contact about a possible security incident,” he said. “But organizations “have to resolve this problem because they need IT to identify, catalog, and date threats.”
Be a Cyber-Hero
Bickford asked attendees, based on their info-sec and IT expertise, to become cyber-heroes in their organizations. “Cyber-heroes set security and privacy standards for employee behavior,” he said.
He also encouraged them to adopt “cyber children” — employees who don’t understand practices that improve security and protect private data and their organization’s reputation.
Launch a Cybersecurity Awareness Program
To start conquering the employee cyber-risk problem, CISOs should adopt or develop a cybersecurity awareness program.
“Make programs fun and interactive to engage users,” Bickford advised. Those that include content that personalizes the experience — scenarios involving security threats targeting children at home, for instance — can be a big eye-opener for employees.
This is the fourth in our series of posts presenting key takeaways from our 2018 CyberCrime Symposium, held November 1-2, 2018. The program — “The Future of Privacy and Security” — featured an incredible line-up of speakers. If you couldn’t get a seat at the event or want a refresher on various sessions, this is a not-to-be-missed series!