THE ANSWER: The answer is at the bottom, click here to see it now.
Cybersecurity is sounding more and more like the magical mystical snake oil elixir of the new millennium. And, for good reason. Everybody is selling the miracle cure, the one tool that will fix everything, and they are doing so with scare techniques that are starting to make the situation worse by building on the hysteria. It has reached a point to where people are losing hope and giving up, and that will not help the problem. I wrote about this issue in Low Hanging Fruit Can Make a Pretty Good Cybersecurity Pie but it is time for a refresher.
Most Breaches Are Not Super Sophisticated Attacks
The problem is, while many businesses are victimized by the super sophisticated “unprecedented” exotic (real) hacking attacks, they are in the minority. The vast majority of the cybersecurity incidents companies experience are because of much simpler things like lost USB drives, stolen laptops, or highly-effective phishing scams.
The highly respected Online Trust Alliance has been reporting on this for a few years and has found that 91 percent of the data breaches in 2015 were easily preventable and 90 percent in 2014 were easily preventable by adhering to commonly accepted best practices for data protection.
Social Engineering is a Huge Problem
One of the most effective “hacking” tools known to mankind is social engineering. There are many definitions for social engineering but mine is simply “using deception to make people do dumb things.” The article referenced here provides many examples of social engineering and, in fact, the FBI has recently warned that the Business Email Compromise, which is based on social engineering, was the #1 threat to businesses in the Dallas – Fort Worth area in early 2016.
In the following video, my friend Jim Roskopf provides a great explanation of one of the ways hackers may execute the Business Email Compromise and he also explains why this issue will not be covered by cyber insurance.
Adhering to Sun Tzu’s advice on cybersecurity, the bad guys are always changing their tactics to use those most appropriate for the season. On the heels of the 2016 tax season, recently the bad guys have been phishing to obtain W-2 information through the business email compromise.
My friend @PogoWasRight manages the excellent site Office of Inadequate Security and has been keeping up with the companies that have recently fallen for this scam. In 24 days of keeping this list, she has found where 90 organizations have had one of these incidents so far, and there are some pretty impressive names on the list!
Teach People to Think
This is a problem — and one that usually isn’t fixed by just installing the latest and greatest device or app but, instead, by educating and training the people in your organization. How do you do that? See THE ANSWER below.
As Sun Tzu taught, tactics will continue to evolve which means that you cannot tell people exactly what the bad guys will be doing next year, or even next week. We do not yet know because, as we discover one means of attack, they are already working on another. What we can do, however, is teach people what they have done before, show them examples of how they have exploited humans before, and then draw from that some basic principles. Then, use those principles to teach them how to think and spot the techniques of the future. Will it work all of the time? Of course not, nothing ever does. But it will help and it is the kind of low-hanging fruit that your organization can gather up and work with right now so there is no excuse not to. In fact, since the original posting, @CyberSnort shared with me his excellent site that explains many different kinds of social engineering and offers solutions on how to combat it. Check it out HERE.
So, what is the answer?
The first thing your company can do–today–with no tools, devices, appliances, or gimmicks–is to focus on educating and training its workforce on how to recognize and avoid social engineering. Will this make your company secure? Of course not. I am not aware of anything that will make your company secure, but it will make it substantially more secure than it is now. How do you do it?
Here are the steps I suggest you start with for this education and training:
- First, your company should already have appropriate policies and procedures (P&P) in place that adequately address your company’s unique cyber risk and specifically take into account the human element and how bad guys try and exploit the human element.
- Train your workforce on the P&P by actually using them as the foundation for the initial training. Explain them in detail and give real world examples for how the issues addressed in the P&P have led to incidents in other companies, which helps with getting buy-in from your workforce. (When I do this for clients, we have a professional videographer record the training session, integrating slides of the P&P, to use for onboarding future employees) If your P&P are not a good tool for training that means you do not have the right P&P for your needs.
- Then, begin having ongoing education and training of your workforce by doing things such as scheduling regular short training sessions and sending out informative tips on current threats and how they can use better cyber hygiene both in their personal lives and in the workplace. Encourage them to share the information with their friends and loved ones. By including the personal part, you encourage better buy-in and help them see that they are protecting themselves and their friends and loved ones as well as your company.
- Phish your workforce by sending out emails that emulate those that the bad guys use. Not just once, but on an ongoing basis from now on until cybersecurity is no longer a threat (or, phish become extinct). Do not exclude company executives no matter how much they fuss — they are more likely to fall for phishing than anyone else. Keep a record of these phishing exercises to see how workforce performance improves over time — and it will. If you really want to see improvement, consider some incentive or gamification tied to these exercises and include performance as part of the year-end review process.
- Document, document, document every step you take to improve your company’s cyber risk posture. See this article for why documentation of this process is so important.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.