Last week, IBM and The Ponemon Institute released their annual Cost of a Data Breach Report. For the past 15 years, the report has highlighted recurring and emerging factors that contribute to the cost of data data breaches, as well as the root causes of those breaches. One of the key findings in this year’s report is the fact that human factored cyber attacks not only make up a large percentage of the all malicious attacks, but also are incredibly costly to businesses that suffered breaches. This only confirms the importance of cyber awareness training for employees to limit the risk of a human factored attack.
There are many different causes of a data breach, some of which are merely accidental. However, according to this year’s report, malicious attacks now make up 52% of all breaches. This didn’t used to be the case. In fact, malicious attacks have seen a 24% growth rate in just six years. Malicious attacks are also the most expensive, costing businesses an average of $4.27 million. That’s nearly $1 million more than all other causes of a breach.
Given the frequency and cost of malicious attacks, it’s important to look closer at the different threats that account for the rise in malicious attacks — and the data is surprising. While expected threats such as system vulnerabilities and malicious insiders are certainly present, human factored cyber attacks take up a large chunk of all malicious attacks. Threats ranging from phishing attacks, to business email compromise, to social engineering and cloud misconfigurations are all rooted in human rather than technical vulnerability, and account for 41% of all malicious attacks leading to data breaches. Indeed this report correlates with what was presented in the Verizion 2020 Data Breach Investigations Report.
Human factored cyber attacks aren’t something you can protect yourself against strictly through technically safeguards. Instead protecting against these vulnerability requires working with employees, establish proper quality control protocols, ensuring your have the right expertise on your team and using cyber awareness training to help build safer online habits.
As a Fortune 100 CISO once told me, “at the end of the day, every cyber incident starts with someone making a decision.”
When it comes to cybersecurity practices, there is an overwhelming amount of options available today, which can make it hard for businesses to figure out what they need. It’s easy to think you need newest and most expensive cybersecurity technology with all the bells and whistles to be protected. But the truth is that every business will have different needs and will need to develop cybersecurity practices that suit their specific business goals and strategies. If you don’t align your cybersecurity with your business objectives, chances are all your fancy security practices will end up hindering your business. There are, however, a number of critical cybersecurity practices that every business should consider. Each of these practices are all easy to implement and will leave your business a lot more secure:
One of the most critical cybersecurity practices is also the simplest: updating your applications and operating systems. Software updates aren’t just about adding new features, but in most cases also includes security improvements and patches to any known vulnerabilities. And while it can be tempting to put off updating your applications for another day, it is very important to install these updates as soon as you can. Hackers are constantly looking through popular applications for potential vulnerabilities, so keeping your systems up to date will help ensure the bad guys can’t exploit any weaknesses in the outdated version.
2. Access Control
Another vital component to any cybersecurity policy is controlling access to your networks, systems and data. This includes limiting employee access to areas of your system that aren’t relevant to their work. You also need to ensure that your employees are using passwords that meet certain length and complexity requirements, as well as using multi-factor authentication for all remote logins. This is especially important now that many employees are working from home.
3. Lockdown Mobile and Remote Devices
Whether employees are using company-issued or personal devices, it is important to ensure certain security settings are in place if those devices are used to access your network remotely. This includes ensuring that all devices are using a virtual private network (VPN) to keep internet data anonymous, and malware scanners to detect infected devices. Another big risk with mobile and remote devices is that potential for them to be lost or stolen. It’s therefore important to make sure your devices are encrypted and that you have a system in place that allows you to delete the data from any remote device if it goes missing. This will keep the anyone who finds the device from access any sensitive data it might contain.
4. Back up and Recovery Tests
It is also critical to keep regular backups are your most important networks and most sensitive data. This is especially important to protect yourself against ransomware attacks, where hackers lock you out of your own system. Having a backup may prevent you from having to pay to get your data back. However, it’s not enough to just keep backups, but to regularly test your recovery process. Backups will sometimes be corrupted and If you make a mistake or your backup settings are misconfigured, it’s possible you won’t be able to fully recover your data. Testing your backups regularly will ensure you can get your data back if sometime bad happens.
5. Firewall Configuration
Firewalls are essential for monitoring incoming and outgoing network traffic, and blocking any traffic that doesn’t meet your security standards. It’s often considered your first line of defense, so should be set up with care. The specific configurations you need depends on a number of factors, but overall you should make sure you don’t have any unnecessary open ports and ensure that traffic coming and going from the most critical and sensitive areas of your network have stricter traffic limitations. It’s also very important to change any default account and passwords that come with the firewall. Hackers can cause a lot of damage if they gain administrative access to your firewall, so you want to keep access to it as secure as possible.
6. Security Awareness Training
Last but definitely not least, it is critical that your employees receive security awareness training. Phishing and other social engineering attacks are now the number one cause of data breaches, meaning your employees are your frontline defense against cyber attacks. If your employees don’t know how to spot phish or business email compromise attempts, you leave your system dangerously vulnerable to attack. Simply put, by giving your employees the tools to develop safe online habits, you dramatically increase the security of your organizations.
The 2013 Target breach served as a wake up call for many businesses about the importance of proper cybersecurity practices. Since then, organizations have devoted a lot of time and resources into putting security controls and trainings in the place to better protect their data. Yet, one piece that is often overlooked is vendor management. In fact, the Target breach occurred when the credentials of an HVAC vendor were stolen and used to gain access to Target’s network. Traditionally, vendor management involves creating a security agreement and routinely accessing vendors’ security practices, but doesn’t always include cyber awareness training. However, given that credentials are regularly stolen through social engineering tactics, organizations need to start focusing on training their critical vendors to be more cyber aware.
With the effort often involved in implementing training programs for employees, it may seem daunting to also train vendors. However, since vendors usually have limited access and have very specific roles, vendor cyber awareness programs should be customized to the role they play within your organization. While you should ensure that the Vendor does have a comprehensive awareness program for all employees, you should consider adding your own training to those individuals who are touching your account — including their accounts payable or receivable units — and tailor the training to the specific risks they present.
Take the Target breach as an example. Hackers gained access to the Target network through credentials to a vendor portal. In order to help prevent the breach, Target could have taken the following steps: first, require strong authentication, including multi-factor authentication, to access the Target system; second, receive verification that the vendor has a training program in place for all employees; third, identify the individuals within the vendor’s organization that need to access it’s system; finally, provide those individuals adequate, role-based training on topics like password strength, business email compromise, and phishing.
The importance of ensuring your vendors are cyber aware cannot be overstated, and should even be a requirement before entering into any agreement. While this training doesn’t need to be as extensive as it is for your employees, it should be focused on the individuals with access, and the role those individuals play within your organizations. Anything less than that could leave you vulnerable to unauthorized access.
When it comes to cybersecurity, our minds usually jump to complicated technical protections that only your IT department understands. And while these safeguards are certainly important, the truth is hackers are increasingly focusing on social engineering attacks to get into our networks. In fact, phishing attacks are now the number one cause of successful data breaches. Employees are therefore often the first line of defense against cyber attacks. That’s why more and more cybersecurity experts are emphasizing the importance of security training for employees. Business owners need to feel confident that their employees are developing online behaviors that keep the organization secure. The problem, however, is that traditional training programs aren’t always successful in achieving these behavior changes. This is, in part, because training programs too often use “gotcha!” methods when employees make a mistake, which only discourages employees instead of motivating them. Organizations should therefore focus on programs that use positive reinforcement in security training.
One popular form of cybersecurity training is phish simulation programs, where employees are spent emails designed to look like popular phishing scams. The problem, however, is that these programs always always rely on the gotcha method. When an employee clicks on a link in a fake phishing email, typically they will see a screen telling them they got caught and are then instructed to watch an informative video. The problem is that this approach causes the employee to associate negative emotions with the training and therefore reduces the likelihood of sustained behavior change. Simply put, this type of training creates a punitive environment that discourages the individual but doesn’t create meaningful change.
Instead, one study has shown that using positive reinforcement in security training actually produces safer, longer lasting online habits. Instead of punishing bad behavior, it’s actually more effective to focus on rewarding behavior you want to see, such as reporting phish: “By focusing on helping people feel successful, the campaign produced a positive result: a 30% reduction in overall phish susceptibility, and for individuals who had already been identified as habitual “phish clickers”, a reduction from 35% susceptivity to 0%.”
The key is the associate positive behaviors with positive feelings. It’s a small thing, but the impact could help businesses save a lot of time and money down the road.
Given that phishing attacks are now the #1 cause of successful data breaches, it’s no surprise that many individuals and organizations are looking for tools to help them get better at spotting phish. The problem, however, is that most of the available education tools reply on “passive” training material: infographics, videos, and sample phish. While this educational tools might teach you a few facts and figures, they don’t always lead to a long term change in how users respond to phish. Instead, educators should be looking for new tools and methods that change the very way we look at our emails. You know the phrase “Give someone a fish, feed him for a day. Teach someone to fish, feed him for a lifetime”? Well, the same is true for phish too.
The idea is simple: Instead of just looking at examples of phish, by engaging in the process of creating a phish you will internalize the tactics and tricks scammers in real life and will be better able to spot them.
There is actually a method that has been proven to work in similar settings, such as recognizing propaganda and misinformation. It’s called inoculation theory. The idea is similar to how vaccines work: by exposing people to small doses of something more dangerous, and by actively engaging them in the process, they can better defend themselves against the real thing in the future. Cambridge University used this theory to create an online game that asks users to create their own fake news.
In a similar way, teaching someone how to make phish creates an engaging way for users to understand how actual phishers think and what tactics they use to trick people. We believe this form of training has the potential to be far more successful in help users create long lasting change and help them stay safer online.
When you want to form a new habit or learn something new, you may think the best way to start is to dedicate as much time and energy as you can to it. If you want a learn new language, for example, you may think that spending a couple of hours every day doing vocab drills will help you learn faster. Well, according to behavioral scientist BJ Fogg, you might be taking the wrong approach. Instead, it’s better to focus on what Fogg calls tiny habits: small, easy to accomplish actions that keep you engaged without overwhelming you.
Sure, if you study Spanish for three hours a day you may learn at a fast rate. The problem, however, is that too often we try to do too much too soon. By setting unrealistic goals or expecting too much from ourselves, new habits can be hard to maintain. Instead, if you only spend five minutes a day, chances are you will be able to sustain and grow the habit over a longer period of time and have a better chance of retaining what you’ve learned.
The Keys To Success
According to Fogg, in order to create lasting behavior change, three elements come together at the same moment need to come together:
Motivation: You have to want to make a change.
Ability: The new habit has to be achievable.
Prompt: There needs to be some notification or reminder that tells you its time to do the behavior.
Creating and sustaining new habits requires all three of these elements to be successful — with any element missing, your new behavior won’t occur. For example, if you want go for a 5 mile run, you’re going to need a lot of motivation to do it. But if you set smaller, easy to achieve goals — like running for 5 minutes — you only need a littlemotivation to do the new behavior.
The other key factor is to help yourself feel successful. Spending 2 minutes reviewing Spanish tenses may not feel like a big accomplishment, but by celebrating every little win you will reinforce your motivation to continue.
The Future of Cyber Awareness
Tiny habits can not only help people learn a new language or start flossing, it can also play an important role in forming safer, more conscious online practices. Our cyber awareness training program, The PhishMarket™, is designed with these exact principles in mind. The program combines two elements, both based on Fogg’s model:
Phish Simulations: Using phish simulations help expose people to different forms of phish attacks, and motivates them to be more alert when looking at their inbox. While most programs scold or punish users who fall for a phish, The PhishMarket™ instead uses positive reinforcement to encourage users to keep going.
Micro-Lessons: Unlike most training programs that just send you informative videos and infographics, The PhishMarket™ exclusively uses short, interactive lessons that engage users and encourage them to participate and discuss what they’ve learned. By keeping the lessons short, users only need to dedicate a few minutes a day and aren’t inundated with a barrage of information all at once.
Creating smart and safe online habits is vital to our world today. But traditional training techniques are too often boring, inconsistent, and end up feeling like a chore. Instead, we believe the best way to help people make meaningful changes in their online behavior is to focus on the small things. By leveraging Fogg’s tiny habits model, The PhishMarket™ has successfully helped users feel more confident in their ability to spot phish and disinformation.