THE ANSWER: The answer is at the bottom, click here to see it now.
Cybersecurity is sounding more and more like the magical mystical snake oil elixir of the new millennium . And, for good reason. Everybody is selling the miracle cure, the one tool that will fix everything, and they are doing so with scare techniques that are starting to make the situation worse by building on the hysteria. It has reached a point to where people are losing hope and giving up, and that will not help the problem.
I wrote about this issue in Low Hanging Fruit Can Make a Pretty Good Cybersecurity Pie but it is time for a refresher.
Most Breaches Are Not Super Sophisticated Attacks
The problem is, while many businesses are victimized by the super sophisticated “unprecedented” exotic (real) hacking attacks, they are in the minority. The vast majority of the cybersecurity incidents companies experience are because of much simpler things like lost USB drives, stolen laptops, or highly-effective phishing scams. The Online Trust Alliance has been reporting on this for a few years and has found that
The highly respected Online Trust Alliance has been reporting on this for a few years and has found that 91 percent of the data breaches in 2015 were easily preventable and 90 percent in 2014 were easily preventable by adhering to commonly accepted best practices for data protection.
Social Engineering is a Huge Problem
One of the most effective “hacking” tools known to mankind is social engineering. There are many definitions for social engineering but mine is simply “using deception to make people do dumb things.” The article referenced here provides many examples of social engineering and, in fact, the FBI has recently warned that the Business Email Compromise, which is based on social engineering, was the #1 threat to businesses in the Dallas – Fort Worth area in early 2016.
In the following video, my friend Jim Roskopf provides a great explanation of one of the ways hackers may execute the Business Email Compromise and he also explains why this issue will not be covered by cyber insurance.
Adhering to Sun Tzu’s advice on cybersecurity, the bad guys are always changing their tactics to use those most appropriate for the season. On the heels of the 2016 tax season, recently the bad guys have been phishing to obtain W-2 information through the business email compromise.
My friend @PogoWasRight manages the excellent site Office of Inadequate Security and has been keeping up with the companies that have recently fallen for this scam. In 24 days of keeping this list, she has found where 90 organizations have had one of these incidents so far, and there are some pretty impressive names on the list!
Teach People to Think
This is a problem — and one that usually isn’t fixed by just installing the latest and greatest device or app but, instead, by educating and training the people in your organization. This requires having appropriate policies and procedures in place that take into account the human element and how bad guys try and exploit the human element.
As Sun Tzu taught, tactics will continue to evolve which means that you cannot tell people exactly what the bad guys will be doing next year, or even next week. We do not yet know because, as we discover one means of attack, they are already working on another. What we can do, however, is teach people what they have done before, show them examples of how they have exploited humans before, and then draw from that some basic principles. Then, use those principles to teach them how to think and spot the techniques of the future. Will it work all of the time? Of course not, nothing ever does. But it will help and it is the kind of low-hanging fruit that your organization can gather up and work with right now so there is no excuse not to. In fact, since the original posting, @CyberSnort shared with me his excellent site that explains many different kinds of social engineering and offers solutions on how to combat it. Check it out HERE.
So, what is the answer?
The first thing your company can do–today–with no tools, devices, appliances, or gimmicks–is to focus on educating and training its workforce on how to recognize and avoid social engineering.
Thanks to Matt Davis for sending me the following Fortune article on the business email compromise: How this CEO avoided getting conned in a wire transfer scam
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.