The results of a recent MediaPro Privacy and Security Awareness Survey were shocking: outstanding cyber security infrastructure can’t stop hackers who prey on unaware non-IT employees, according to MediaPro’s content manager Jeremy Schwartz.
Twenty percent of participants exhibited behaviors that left their company vulnerable to attack, he wrote in “Report: 7 in 10 Employees Struggle With Cyber Awareness.” Risky behaviors included connecting to public Wi-Fi hotspots, allowing people without proper ID into the building, and risky media activity.
We live in an advanced era. The business world is adopting new connected Internet of Things (IoT) technologies. IoT devices include any type of connected device, such as Bluetooth fitness bands, personal assistants like Amazon Echo, connected thermostats, smart TVs, and even smart light bulbs.
Corporations are also now promoting goods and services across multiple internet channels and social media networks. Business professionals should take the topic seriously because these marketing avenues and connected devices present new security issues that can easily be exploited by hackers unless steps are taken to strengthen cyber security.
Cyber Criminals Hone In On The Weakest Links
Businesses and corporations of all sizes are beginning to push cyber security to the foreground, but many companies still tend to treat the subject like an afterthought.
The National Center for the Middle Market’s 2017 Cyber Security Report, “Cybersecurity and the Middle Market,” shows that 44 percent of companies surveyed do not see cybersecurity as “very important” for their company, while 55 percent admit they either do not have a defined cyber security strategy or the plan they do have is not up to date.
The survey showed companies in financial services were most likely to view cyber security as “extremely important,” healthcare and other services are still behind despite the sensitive data these organizations warehouse about clients and patients.
According to DirectionsTraining.com’s blog post, “Keep Company Data Safe With End User Cybersecurity Training,” the primary threats come from deficiencies in these areas:
- Weak passwords
- Social engineering (manipulating employees to divulge confidential information)
- End-users’ (non-technical employees’) knowledge of cyber issues
- Risky digital communications
- Malware awareness and detection
- Mobile devices
- Cloud service usage
Employees who use the word “password” as their password on company devices can put company data in grave danger. Connecting their work computers to public Wi-Fi hotspots or using “free” USB thumb drives are also threats that no amount of technology can cure. Cyber security training is the only way to avoid such pitfalls.
Cyber Security Depends On Awareness
The 1990s stereotypical hacker sitting in a bunker somewhere hacking into remote businesses and organizations all over the globe no longer exists. Improvements in cyber security have forced hackers to target unsuspecting employees in an attempt to gain physical access to sensitive networks.
Because cyber security evolves constantly, IT solutions by themselves will never be enough to secure a business indefinitely. A patient hacker only needs to succeed one time, whereas a cyber security team needs to succeed constantly against a barrage of attacks.
“The danger is in thinking that these risks can be perfectly ‘managed’ through some sort of comprehensive defense system,” cyber security authorities Dante Disparte and Chris Furlow explain in their Harvard Business Review article, “The Best Cybersecurity Investment You Can Make Is Better Training.”
Assume your defenses will be breached and train your people to handle the situation, they advise. Think of the approach as “risk agility” rather than risk management.
“The agile enterprise equips all organizational layers with decision guideposts and boundaries to set thresholds of risk tolerance,” they maintain. “All employees should not only understand what is expected of them regarding company policy and online behavior but also be trained to recognize nefarious or suspicious activity.”
During cyber security training, participants fall into three areas based on their risk levels; Risk, Novice, or Hero. Employers must take into account some employees will do better than others, however, an untrained end user can pose a much greater threat.
“Organizations should focus on rewarding good security behavior and having strategies in place to address behavior that requires improvement,” security analyst Maxine Holt says in her article, “Security Think Tank: Cyber Security Is Everyone’s Responsibility” in Computer Weekly.
“Leading organizations recognize that a network of trained information security champions from within the business can play a vital role in introducing and embedding positive information security behaviors.”
The use of trained information security champions at all levels can help bridge the gap between security personnel and the rest of the company. “Champion” level users will also stand out in strong contrast against the risky end-users who need further training, disciplinary action, or both.
The assistance of peers, however, does not solve the problem entirely. Even champion end users need to stay current with their training. The National Institute of Standards and Technology (NIST) Cybersecurity Framework describes all of the necessary elements for company-wide cyber-awareness training:
- Identify the organization’s most sensitive data assets.
- Assess the protective measures that must be in place to protect those assets.
- Install a system for detecting threats and alerting security personnel of suspicious activity. (non-technical employees’) knowledge of cyber issues
- Institute an incident response plan for when attacks do take place and practice it regularly.
- Discuss how the business will recover itself following a security breech.
We now live in a world where ever-evolving cyber security is a priority. Right now, the weakest link in the chain is the end user with little to no cyber security awareness, however, security strategies and employee training programs can change that.
Ohio University’s Master Of Business Administration Degree
Cyber security is an increasingly important priority for today’s corporations. MBA graduates who understand the gravity of managing a strong cyber defense will prove to be invaluable to their future employers.
Nationally recognized by US News & World Report as a “Best Online MBA” program, Ohio University’s online MBA degree program takes advantage of the latest in online classroom technology to bring students an engaging and academically rigorous experience that can benefit them throughout their careers.
The Ohio University online MBA program offers concentrations in finance, health care, executive management, and business analytics. To learn more visit Ohio University’s Online MBA program website today.
Media Pro.com, “Report: 7 in 10 Employees Struggle with Cyber Awareness”
National Center for The Middle Market, “Cybersecurity Research Report”
Directions Training.com, “End User Cybersecurity Training”
Harvard Business Review, “The best cybersecurity investment you can make is better training”
Computer Weekly, “Security Think Tank: Cyber Security is Everyone’s Responsibility”
Stay Sage Online, ” National Cyber Security Alliance Launches Program to Build a Strong Culture of Cybersecurity at Work”