The top threat facing any organization today is the staff member working from a computer! Not because this person intends to do malicious harm to the organization, but because of lack of cyber security awareness and training. Confirmation of this is MediaPro’s 2017 State of Privacy and Security Awareness Report in which they surveyed over 1,000 people and rated their responses to real-world cyber security questions.Respondents were grouped into 3 “risk profiles” based on their correct answers; Hero (93-100%), Novice (77-92%) and Risks (76% and lower). In summary, 70% of those surveyed scored at the Novice level. You might say well, 77% is a solid “C” grade in school and 92% is an “A-“. Well if you consider one instance of risky behavior, clicking on that link in an email can infect your organization with ransomware, that is pretty frightening! Consider that 70% of your organization is at the “Novice” level of cyber security awareness! The odds of being breached are relatively good!
The 2017 Verizon Breach Report provides some sobering breach statistics;
- 62% were the result of hacking
- 81% hacking related breaches involved stolen or weak passwords
- 66% malware installed via malicious email attachment
- 75% were conducted by outsiders (25% insiders)
- 73% were financially motivated
- 51% involved criminal groups
- 27% discovered by 3rd parties
How do you make your entire staff Cyber Security Awareness Heroes? Here are some easy steps that will substantially improve cyber security awareness.
- Make cyber security awareness a priority in your organization. Discuss it in staff meetings and company-wide meetings regularly.
- Increase training frequency and delivery methods. Taking the same training class year after year does not improve awareness and clearly tells staff it isn’t a priority. Require two new and different training classes per year, preferably once a quarter.
- Hold an awareness campaign where emerging threats are reviewed and positive cyber security habits are encouraged.
- Encourage reporting of security incidents as learning opportunities. Investigate and document security incidents and then review them with the workforce to learn from them. Revise policies and procedures as needed to address process issues.
- If you have access to the data from your IT support organization, publish or post the statistics on the attempts to hack into your network. We all are nice and comfortable behind firewalls and forget how many bad actors are out there.
- Conduct email phishing campaigns to improve workforce email awareness, use and habits.
Your cyber security training program should continue to evolve to keep pace with the rapidly changing cyber threats. If you are a smaller organization, a job role should be assigned the responsibility to keep your training current and fresh.
Our dependence on computers and the Internet will only increase, as will the threats wanting to steal our sensitive data or damage our reputations or ability to do business. It is a small investment to train your workforce to protect your organization.
If your organization needs a security risk assessment, compliance management plan, or cyber security plan, please contact us at: info@thirdrock.com