It’s only been in recent years that businesses have come to realize the true ramifications of a data breach; it’s not just about the fines, reputational damage impacts both customer and suppliers, and there is a myriad of other costs which are incurred as well as disruption across the organization. Today, the average cyber-attack costs over $1 million, so organizations are sitting up and taking note of the need to protect sensitive information, rather than just thinking about it.
Paramount to the protection of critical data is having a workforce that is cyber threat aware and trained to mitigate data breach risks. While many organizations see this as educating employees on the workings of cybercriminals, they often skip over a vital first step – internal data protection processes.
This, in turn, begs the question; what should organizations be doing (from Board level down) to help improve their cybersecurity posture from within?
The Rules of Engagement
As a starting point, employers need to work to create an environment that supports the honest reporting of cyber threats and incidents. A ‘shoot the messenger’ approach will not help the cause! Adopting a supportive breach-reporting environment is crucial in order to rely upon staff to follow internal breach notification processes, so any incident can be actioned and resolved quickly.
Without a supportive environment, when a data breach occurs due to an honest mistake, employees will be reluctant to blow the whistle on themselves, instead possibly hiding the issue whilst they attempt to rectify their mistake before anyone else notices, or worse still, do nothing at all. Add to this, those who unknowingly facilitate an attack (be it through clicking a link in a phishing email, malicious social media post or accessing their personal email and downloading a malware-ridden document), are also usually reluctant to raise the alarm in fear of punishment.
This is arguably one of the most common – and indeed, problematic – issues surrounding security incident and data breach mitigation. As any cybersecurity specialist can testify; the longer it takes to identify the root cause of the problem, the more damage that threat can do. Time is of the essence and if an employee is unwilling to come forward until the threat is discovered by someone else, significant damage may have already been done. Malware can spread through a network in a matter of minutes, and heavy fines can be imposed for data leaks, so every second counts.
As part of internal cyber training and awareness programs, organizations must reassure employees that they will not face consequences for reporting accidental link clicks or data loss. While the workforce must be held to operate to a standard of behavior, organizations need to make sure that there is a priority on encouraging employees to come forward quickly if they think there is an issue, allowing the IT security department to address the breach as quickly as possible.
Training Programs Must Continuously Evolve
Whilst training the workforce will ensure a higher standard of security posture, keep in mind that, over time, defenses will degrade. This will be as a result of changes in business processes, evolving cyber-attacks, and in part due to human nature. Workers will often download unsecured applications or find workarounds to policies, therefore negating the effectiveness of layered network security.
As part of an ongoing cybersecurity training program, organizations must remember that anything from changes in data storage practices, to new protocols on data sharing, or new technologies being introduced into the workplace should be accompanied with additional security training for staff on how these changes may present new security risks, as well as what they can do to mitigate them.
For all these reasons, it is essential that organizations recognize that effective cybersecurity training is a continuous process and security practices should be supported by technologies that can act as a safety net. Technology is effectively a last line of defense which enforces policies and processes and ultimately helps to keep the organization, its information and its people safe.
Leverage Technology as a ‘Safety Net’
Staggeringly, although 43% of businesses experienced a cybersecurity breach in the last 12 months, only 27% have trained their workforce in adapting to this new age threat. Clearly, the need for a cyber-threat educated workforce is greater than ever, although businesses must remember that this is only one facet of a strong cyber defense.
A truly strong cyber defense policy should discern which of an employee’s tasks or activities are most likely to result in a data breach and incorporate tiered security to address it. If the main business collaboration channel for sharing sensitive information is through email, an email security solution should be deployed that incorporate functionality to automate and enforce best practice security and data protection processes.
In conjunction with standard malware scanning, advanced security products will provide Data Loss Prevention (DLP) functionality and encryption to enable the secure sharing of information, without hindering communication flow. Features such as Adaptive Redaction can be used to protect against threats such as ransomware from embedded malware in attachments, as well as unwanted data acquisition (essential in a world with GDPR and shared responsibility) and sensitive data loss. Combined with a secure web gateway, damaging links (URLs) in emails and documents can be neutralized, while the same adaptive DLP functionality can be used to protect information being uploaded to, or downloaded from, cloud collaboration applications.
Employees may be one of the greatest threats to an organization, but if trained correctly, the workforce can also be its greatest defense: a cohort of threat-aware defenders against both cyber-attacks, and data breaches from within.