Picture this. You’re sitting at your desk, working diligently. Your phone is nearby, so you pick it up quickly, just to check if there are any new messages. In the short time it takes you to do this, a cyber-attack has occurred somewhere in the world.
It’s the scary truth that hacker attacks strike every 39 seconds. Inga Beale, CEO of Lloyd’s Bank, believes that we live in a world “where the threat from cyber-crime is when, not if.”
But despite the seriousness of this threat, many businesses remain ill-equipped to tackle it. A recent survey revealed that less than half of information security professionals believed they could protect their organizations from cyber threats.
Security technology to protect information is only part of the solution. If your organization is making any of these common cyber security mistakes, you could be at high risk too.
1. Crossing that bridge when you come to it
Fail to prepare, prepare to fail. If your approach is to “cross that bridge when we come to it”, chances are that bridge is already burning.
To respond effectively to a cyber-attack on your computer system, you need security measures in place now. Define an escalation procedure in the event of a crisis. Which staff members are involved? What actions must each take? Who alerts your workforce – and who gives them the approval to do so?
Practice your response process through simulated attacks. Trigger fake phishing emails to test staff awareness and understanding. Is their response appropriate? Do the actions they take reflect those proscribed by your security policies?
Being organized in advance allows you to respond at pace when an attack comes. Needing to work it out on the fly, when everyone is distracted and stressed, is a recipe for disaster.
2. Assuming all staff are ‘in the know’
If you’ve sent out some emails about the importance of cyber security, and assume that everyone is receiving and reading your messages, unfortunately there’s bad news – they aren’t.
Today’s workplaces include a wide range of different employees – mobile workers, remote staff, shift workers, contractors and others. It’s become almost impossible to reach everyone, especially via corporate emails when nearly two-thirds of staff don’t read them.
Set up target audience groups in your internal communication system in advance. Pay particular attention to staff members who are field-based, work in remote offices or home offices, work outside normal corporate office hours, or any other non-traditional situation.
Set these up as distinct groups such that you can tailor messaging specifically to them, as well as be certain that they won’t be overlooked.
High-visibility tools like desktop alerts reach 100% of staff, including mobile optimization, which removes the guesswork out of who has seen what.
3. Approaching staff training as ‘one and done’
Remember the 2016 cyber-attack which caused a data breach at a certain social media giant? The CEO’s password was among those hacked and was revealed to be the rather embarrassingly simple "Dadada". A security faux pa which could ironically be labelled a faceplant.
The point is, even staff members who should know better can invite risk. Your workplace may have delivered sessions on network security, identity theft and best practices. But learnings lapse; training is temporary.
It needs reinforcement, particularly as technologies like the IoT and AI increasingly pervade the consumer world. Schedule follow-up sessions at regular intervals. Make completion of training a compliance regulation for all new employees.
Use corporate screensavers to turn your desktop computer screens into digital billboards which promote safe cyber behavior. It's all part of risk management. You can’t remind staff too often.
4. Assuming you know it all
You may be the organization expert on cyber security, but you can’t know everything. As fast as protections are put in place to deflect risk, hackers are working to crack them. When the average cost of a data breach will exceed $150 million by 2020, you need every weapon in the arsenal.
Supplement your professional guidance by encouraging staff to share helpful tips they’ve seen. Repurpose useful content from vendors. Collate these into an accessible repository on your corporate intranet.
It’s essential that someone in your Information Security team retain ultimate oversight of the content and overall security program, but they don’t have a monopoly on good ideas.
5. Ignoring the power of culture
If anyone in your organization isn’t invested in the solution, they’re part of the problem. That includes those at the top. Worryingly, only 36% of information security staff believe their senior leadership see cyber security as a strategic priority.
In environments like this, getting the message through about the importance and risks of cyber security breaches is so much harder.
Invest the time into building cyber security awareness and establishing an organizational culture. Build champions in every department. Include updates in regular staff newsletters. Quiz staff on their understanding.
Your aim must be to ingrain positive behavior and make it second nature. Staff are always your organization’s first line of defense, so build them up and make them mighty.
With so much financial and reputational damage at stake, it’s small wonder that cyber security is such a critical area for modern business. Avoiding common mistakes is critical in becoming cyber safe.