When it comes to cybersecurity, the old joke is that there are only two types of companies: those that have been breached and know it and those that have been breached. Unfortunately, there’s a lot of truth in that statement.
Over the years we continually hear owners and management claim that their businesses are not a target for cybercrime. There are always reasons: “We don’t keep sensitive financial data.” “We’re just a ‘fill-in-the-blank’ company so we don’t have confidential intellectual property.” “We have a firewall.” “Our IT is top-notch and has it under control.”
Unfortunately, the cybersecurity/information security problem doesn’t get the attention it needs for two main reasons.
First, too many organizations falsely believe they are not a target. The problem with this thinking is that all organizations, regardless of their size, the kind of data they maintain, or the products and services offered are, in fact, a target. Today’s cybercriminals are opportunists, looking for any way into an organization then attacking in a smash-and-grab style. Today’s cybercriminal mantra is to get into an organization, grab everything they can and then determine its value. As such, no organization is immune.
Secondly, organizations falsely believe that cybersecurity is an IT problem. After all, if they have someone handling IT, then information security must be handled.
The insider threat
How do the bad guys get in? Certainly in some instances it is because of weak IT security controls. In most breaches, however, it comes down to a people-problem and more specifically your people.
A recent survey conducted by Market Connections and SolarWinds found that 53 percent of the breaches could be attributed to careless and untrained end-users, not outside malicious attackers. It’s the careless user who clicks on a malicious link in an email, the individual who takes semi-sensitive data out of the organization unencrypted on a laptop or USB drive, or the individual who falls victim to unwittingly installing a piece of malicious software (malware) by opening an email attachment that opens the door for the attack. And these breaches are just as damaging, if not more so, than an outside attacker.
Addressing the challenge head-on
Organizations must not only recognize but embrace the idea that cybersecurity is not ITs problem, it is everyone’s problem. Organizations need to continue to invest in solutions that help to identify, block and cut down on spam, malware and other vectors that lead to opening these doors into the organization, but that alone is not enough.
End user training to sensitize users to the types of threats that exist is crucial. Training of this nature needs to be monthly or quarterly. The organization’s culture needs to shift to being optimistically cautious on anything that comes to them electronically, whether via email, a website they visit or even before they attach some external device to their system. And finally, the organization needs to make it easy for end users to report and act upon anything that is suspicious.