October is National Cyber Security Awareness Month. This week’s theme is “Recognizing and Combatting Cybercrime,” so we’ll be looking at the critical steps organizations can and should take to ensure they can maintain cyber security.
In the digital world, cybercrime takes many forms.
Depending on your business, you may be targeted for any of a number of reasons. Cyber criminals may target you for financial gain, hoping to entice you to execute a fraudulent transaction.
Or maybe your company handles large amounts of personally identifiable information, which is quite valuable in the criminal world. You might even have competitors attempting to conduct corporate espionage to obtain intellectual property, not to mention politically-motivated groups looking to disrupt business.
Regardless of the motivation, cyber crime is serious business and demands the attention and focus of leaders and employees throughout the business. High levels of awareness are necessary to successfully identify and combat attempts to hack your organization.
Why Leaders and Employees Alike Are Cyber Crime Targets
In most cases, words like the ones in the previous paragraph receive a hearty “Harrumph!” from senior leaders. They’ll summon the CIO or CISO, ask about current threats and the technical protections in place to address them, then send them off to continue their good work and say, “And don’t forget to train the staff.”
Sounds good, right? Well, not so fast.
One of the biggest mistakes that leaders make is that they often assume it’s the people getting the work done, the rank and file and those on the front lines, that create the biggest exposure to an organization’s security.
After all, they’re the ones executing business transactions, the ones who spend most of their day sitting in front of a computer “getting things done.”
But here’s the rub…Cyber criminals are pretty darn smart. Sure, they know that “Lunchtime Larry” might do some web surfing over his lunch hour and he might visit a tantalizingly-named site (teeming with malware). They also know that “Helpful Henry” might be willing to disclose some information to a “customer,” or “technician” ostensibly trying to solve a technical problem. He may even share a password or allow that “technician” to remotely take ove his computer – without realizing that person is an impostor trying to weasel information out of him.
But hackers also know that executives (and their administrative support staff) are very busy, and may sometimes take at face value an innocent-looking email from what appears to be a known colleague or customer. People click links and execute financial transactions only to find out that the email, appearing to be from someone they know and trust, was actually spoofed.
Instill a Culture of Cyber Security Awareness to Spot and Fight Cyber Criminals
Here’s the important thing to remember for recognizing and combatting cybercrime: AWARENESS, AWARENESS, AWARENESS – at all levels of the organization.
As I explained above, cybercrooks looking to get their hands on your valuable, sensitive data will target any and all members of your organization. While a mid-level manager might be the victim of sophisticated social engineering, the CEO could fall prey to garden-variety phishing emails.
Traditional protections are obviously a necessary and critical element of an organization’s security posture. But don’t make the mistake of thinking that it’s enough.
Every organization should devote time and resources to provide timely, practical and realistic training to their staff…the entire staff.
That doesn’t mean an annual certification that you’ve read the company’s information security policy.
It means regular outreach and messaging to employees – making data security part of the routine. It means periodic testing to ensure the principles are understood and applied. It means fostering a culture where security isn’t an afterthought, but something that’s ingrained and recognized as critical across every function and layer of leadership throughout the company.
Cybersecurity is something senior leaders should talk about and emphasize. That’s a strong force for cultural awareness.
A wise chief information security officer (CISO) I once worked for told me that if he had only $1 in his budget for security, he would use it on awareness. He said:
The first, best, and most critical line of defense for any company is a well-informed staff that can recognize threats, and knows what to do when they see them.
Those words are as true today as when I first heard them. You only have to look as far as Target to see what happens when data security alarm bells go ignored.
Keep Up with NCSAM Coverage for More Cyber Security Best Practices & Ideas
- Learn more about NCSAM
- Use our NCSAM tag to find all of our articles
- Join the conversation on Twitter: #CyberAware
About the Author: Don Nelson
Don is a principal with Infinitive Insight, the enterprise risk management practice at Infinitive. He has 35 years’ experience in data and information security.