April 9, 2021
Who Let the Hacker in the Front Door?
These days, it's not enough to just have a well-secured system and network protecting your business in the world we live in. Equally as important, you need to ensure that your employees are not letting the bad guys in through your front door.
It has been well documented by Law Enforcement agencies and many security professionals that over 90% of all Ransomware attacks can be attributed to actions taken by an employee. This is not to say they are a willing accomplice or that their acts were intentional. Simply by them clicking on a malicious email link, falling prey to a doctored-up email, or visiting an unfamiliar website can cause significant disruption and potentially jeopardize your business.
Some recent trends you may not be aware of:
- Remote employees' interactions with unsafe websites are up 50% since May 2020.
- 97% of users cannot identify a sophisticated phishing email.
- 25% of users have clicked a phishing email at work
- A single successful phishing attack can cost an average of $1.6 Million
- 85% of organizations have suffered from phishing attacks.
Over the years, DataSure24 has worked on several incident response events where an attack was initiated almost immediately after an employee "clicked "on something they should not have. With each event, there was no Cybersecurity Incident Response plan in place, and the time to recovery was significantly impacted. Other attacks can vary where the bad guys embed themselves in your network and lie undetected for many months only to learn more about how to best inflict the most pain on your organization and to ensure their ransom will be paid, or your data will be removed. Some best practices that would improve your cybersecurity posture are: implementing a 24/7 Managed Detection and Response service, an ongoing Vulnerability Management program, and performing regular security assessments.
One of the top seven things you can do in building a solid defense in depth strategy to protect yourself from a cyber-attack is developing a Security Awareness Training program (SAT).
Keys to a Successful Security Awareness Training Program:
- Identify a proven Security training software platform that you feel comfortable with
- Set up a baseline Phishing exercise to determine how equipped your employees are to deal with malicious emails
- Provide Security Awareness Training to all employees (online, video, and in-person training)
- Conduct follow-up Phishing exercises
- Review the reports and identify your weakest links-"Your Clickers" and provide additional training
- Repeat steps 2-5 (Indefinitely)
To ensure your Security Awareness Training program's success, it is recommended that you have early buy-in from senior management, including active
participation. Additionally, having someone with either a Security or
Training background (both would be a plus) within your organization to manage the program or contracting with an outside firm will help to ensure success.
Not only do I believe strongly in the benefits of a good Security Awareness
Program, but several prominent compliance organizations believe this as well. Many
organizations have to comply with various compliance acts to increase protection and avoid violations and fees, as listed below:
- New York State Department Financial Services - 23 NYCRR 500 - 500.14
- NIST 800-53- National Institute of Standards - AT-2, PM-13, PM-14
- PCI-DSS- Payment Credit Industry Data Security Standards 12.6
- FISMA - Federal Information Security Management Ac - 4U.S.C 3544
- GLBA - Gramm-Leech Biley Act-16 CFR 314.4
- HIPPA - 45 CFR 164.530(b)(1)
- 45 CFR 164.308(A) (5)
- ISO/IEC 27002 ISO/IEC 27002.2005
Implementing a Security Awareness Training Program for your employees is extremely important in order to reduce your exposure to potential threats. The DataSure24 team can assess your employees' current cybersecurity awareness and develop a training solution that fits your organization and its culture. For more information, visit our Security Awareness Training page.
Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business.
Posted by Peter Ronca