It’s only been in recent years that businesses have come to realize the true ramifications of a data breach; it’s not just about the fines, reputational damage impacts both customer and suppliers, and there is a myriad of other costs which are incurred as well as disruption across the organization. According to CyberTalk.org, the average cost of a web-based cyber attack is $1.4 million, so organizations are sitting up and taking note of the need to protect sensitive information, rather than just thinking about it.
Paramount to the protection of critical data is having a workforce that is cyber threat-aware and trained to mitigate data breach risks. While many organizations see this as educating employees on the workings of cybercriminals, they often skip over a vital first step – internal data protection processes.
This, in turn, begs the question; what should organizations be doing (from the C-suite level down) to help improve their cybersecurity posture from within?
The Rules of Engagement
As a starting point, employers need to work to create an environment that supports the honest reporting of cyber threats and incidents. A ‘shoot the messenger’ approach will not help the cause! Adopting a supportive breach-reporting environment is crucial in order to rely upon staff to follow internal breach notification processes, so any incident can be actioned and resolved quickly.
Without a supportive environment, when a data breach occurs due to an honest mistake, employees will be reluctant to blow the whistle on themselves, instead possibly hiding the issue whilst they attempt to rectify their mistake before anyone else notices, or worse still, do nothing at all. Add to this, those who unknowingly facilitate an attack (be it through clicking a link in a phishing email, malicious social media post or accessing their personal email and downloading a malware-ridden document), are also usually reluctant to raise the alarm in fear of punishment.
This is arguably one of the most common – and indeed, problematic – issues surrounding security incident and data breach mitigation. As any cybersecurity specialist can testify; the longer it takes to identify the root cause of the problem, the more damage that threat can do. Time is of the essence and if an employee is unwilling to come forward until the threat is discovered by someone else, significant damage may have already been done. Malware can spread through a network in a matter of minutes, and heavy fines can be imposed for data leaks, so every second counts.
As part of internal security awareness training programs, organizations must reassure employees that they will not face consequences for reporting accidental link clicks or data loss. While the workforce must be held to operate to a standard of behavior, organizations need to make sure that there is a priority on encouraging employees to come forward quickly if they think there is an issue, allowing the IT security department to address the breach as quickly as possible.
Training Programs Must Evolve
While training the workforce will ensure a higher standard of security posture, keep in mind that defenses will inevitably degrade over time. This will be as a result of changes in business processes, evolving cyber-attacks, and in part due to human nature. Workers will often download unsecured applications or find workarounds to policies, therefore negating the effectiveness of layered network security.
As part of an ongoing cybersecurity training program, organizations must remember that anything from changes in data storage practices, to new protocols on data sharing, or new technologies being introduced into the workplace should be accompanied with additional security training for staff on how these changes may present new security risks, as well as what they can do to mitigate them.
For all these reasons, it is essential that organizations recognize that effective cybersecurity training is a continuous process and security practices should be supported by technologies that can act as a safety net. Technology is effectively a last line of defense which enforces policies and processes and ultimately helps to keep the organization, its information and its people safe.
Leverage ‘Safety Net’ Technology
Reassuringly, a 2022 study conducted by ThriveDX that surveyed 1900+ CISOs, security leaders, and IT professionals, a total of 97% of organizations reported implementing some type of cybersecurity awareness training measures over the past year, with most now using a combination of both phishing simulations and security awareness training. With daily data breaches and cyber attacks continuously dominating headlines, there's an imminent need for a cyber threat-educated workforce.
But a truly strong cyber-defense policy should discern which of an employee’s tasks or activities are most likely to result in a data breach and incorporate tiered security to address it. If the main business collaboration channel for sharing sensitive information is through email, deploying a comprehensive email security solution that automates and enforces best-practice security and data protection processes is crucial. In the aforementioned survey, just 42% reported involving their employees in security detection with the use of such measures as a Phishing Incident Button. Luckily, Fortra's Advanced Email Security solution has just that with Security Awareness Training and its interoperability with PhishLabs' Suspicious Email Analysis.
In addition to Fortra's other solutions, Clearswift's Data Loss Prevention (DLP) functionality and encryption enables the secure sharing of information, without hindering communication flow. Features such as Adaptive Redaction can be used to protect against threats such as ransomware from embedded malware in attachments, as well as unwanted data acquisition (essential in a world with GDPR and shared responsibility) and sensitive data loss. Combined with a secure web gateway, damaging links (URLs) in emails and documents can be neutralized, while the same adaptive DLP functionality can be used to protect information being uploaded to, or downloaded from, cloud collaboration applications.
Employees may be one of the greatest threats to an organization, but if trained correctly, the workforce can also be its greatest defense: a cohort of threat-aware defenders against both cyber-attacks, and data breaches from within.