Cyber analysts often declare 2014 as the year the internet fell apart due to a series of high-profile hacks on Sony, J.P. Morgan Chase, and Apple’s iCloud. In 2015, cyberattacks on Ashley Madison, Anthem, and the FBI were front page news. In 2016, political hacks took center stage with the DNC’s email breach, the hack on election systems in Illinois and Arizona, and Guccifer’s “October Surprise” threat of releasing Hilary Clinton’s private server emails. 2016 will be remembered as the year cybersecurity was exposed as an ever-evolving game of cat and mouse. And we've just realized that we're the mice.
While most breaches in the news come from the worlds of retail and geopolitics, other industries should not ignore the threat of cyberattacks. Everyone is at risk. In fact, healthcare, manufacturing, and financial services companies have the highest incident rates. For any company, elaborate software alone will not prevent a hack or data breach. Why? Because 91% of all targeted cyberattacks rely on “social engineering” to persuade employees to reveal confidential company information. Below are four methods to help you build a more comprehensive response to the growing cyber onslaught.
The main fault of many cybersecurity programs is that Finance and Operations leaders inaccurately believe the IT guys can block out the hackers by themselves. But cyber criminals will attack all employees, not just your experienced IT staff. In a comprehensive cybersecurity plan, the attack radius extends to any system with sensitive data, as well as the people who could access those systems. It's critical that the ownership of the cybersafety program rests on an executive-level leader (i.e. Chief Risk Officer or Chief Information Security Officer). This confirms that the cybersecurity initiatives are company-wide initiatives, not solely IT-related ones.
It's crucial to make employees aware of methods used by hackers and the company policies and procedures for addressing the following types of social engineering schemes:
The importance of training employees on how to identify and avoid these threats can be just as financially important as training employees on how to maintain the organization’s physical assets. In addition to a robust awareness training program, Trenegy believes in the power of the "cybersafety minute," a CRO/CISO sponsored minute at the beginning of meetings that provides consistent awareness about the state of the organization’s cybersecurity.
Testing controls is traditionally a reactive practice. For example, pervasive testing of internal controls over financial reporting came about as a response to SOX. Testing of environmental, health, and safety controls is a response to EPA regulation. Some organizations effectively test cybersecurity controls only because they've had several breaches in the past. Cybersecurity controls do not receive the proper testing focus because the risks are not correctly assessed. Creative hacking calls for creative preventative measures. Many organizations outsource annual penetration testing, but since most hacks rely on the vulnerabilities in human nature, standard penetration testing is not comprehensive. During the risk assessment, the CRO/CISO should sponsor testing that has an internal employee attempt to socially engineer other employees. It is likely that any cybersecurity risk—technical or social—will be rated the highest threat level.
It can be hard to draw the connection between a mysterious email and the loss of millions. Even so, ensuring employee compliance with a cybersecurity program is key to the program’s success. Incentives, like bonuses for completing a cybersafety training, can drive positive behavior and encourage engagement. Including cybersecurity in performance evaluations and day-to-day training helps people understand on an individual level how they can make an impact on the company’s overall cybersecurity program.
