Building a cyber-aware culture

By Laura Haight 
 Originally published as the Digital Maven in Upstate Business Journal on Sept. 22, 2017

A young, smart technologist gets up, reads the news with her morning coffee, then hops on a bike and heads to the office. She's lucky to be working in a thriving $1B industry that is poised to grow an enviable 25-50 percent each year.  

She's a hacker and she every day she joins an army of hackers around the world who have turned ransomware into a thriving business model, including the development of Ransomware-as-a-Service. Now criminals without the tech skills can deploy a ready-made ransomware solution that even includes tech support.  

And while ransomware may be the poster child of successful hacks it is far from the only risk.  Phishing and whaling (CEO Fraud) continue to be extremely effective tools for stealing credentials, opening up back doors, and exposing sensitive information. 

October is Cyber Awareness Month.  Since 2004, the US and other countries around the world have used this opportunity to promote awareness, providing tools and training to help arm us against the daily threats that go hand-in-hand with the dynamic technology we enjoy in our personal and business lives. My company, Portfolio, is proud to be a champion and sponsor of this program.

If you're feeling bored right now, you are probably among the 90 percent of small business owners who don't believe you are of interest to hackers. Well, wander off if you want, but a Ponemon survey found that in 2016 half of all small to medium sized businesses were hacked. Those are businesses with under 100 employees and less than $50 million in annual revenues. Like yours.

Not sure how to get started? We can help with consulting, a BizSafe risk analysis, and staff training. A conversation is a great place to start.

Protecting your business against cyber attacks is a good-news-bad-news kind of thing. The good news is that almost all business are running some form of malware/anti-virus protection. The bad news is that 53 percent of you are using free tools designed for home, not commercial, uses.  

Even if you have chosen stronger tools – like Symantec or Sophos – aggregated, they stop about 75 percent of malware and infected emails. 

True security is a three-pronged approach:

  1. Hardware like firewalls and segmented networks, edge systems with intrusion detection.

  2. Software such as antivirus and malware detection, email filtering systems with learning algorithms, and

  3. Humanware, the often neglected but most critical of the three.

Security is not an IT problem, it is a business problem.

Building a cyber aware culture

An awareness workflow, training, testing, and reward are all part of the process necessary to fully involve your employees in protecting your business.  

  • Workflow. Your folks are going to get malicious emails or other threats. If they click on something, they may get that sinking feeling right off the bat that "maybe I shouldn't have done that." They must know who to notify and feel safe in admitting that they made a mistake. We have all done it. I have done it. There must also be a process to quickly act to isolate the threat and remediate the problem. One click isn't a disaster, unless it goes unchecked. A final part of the workflow is notifying others of the threat. An email that reaches one of your employees will almost certainly go to others. It is rarely a "fluke".

  • Training. Do not assume everyone knows how to identify the risky emails. The 2016 Verizon Data Breach Report evaluated data from 8 million sanctioned email tests and found 30 percent of bad emails were opened and 12 percent of employees being tested opened the attachment or link. That is a higher percentage than the previous year. Assuming they aren't trying to hurt the business, they must not be recognizing the threats. Training can help. Online programs are available, some for free. Even a series of quarterly lunch and learns dedicated to reviewing threats your business has seen over the period, can help keep the risks top of mind.

  • Testing. Many businesses regularly test their employees by sending random tests of bad emails to see how many will click. This should not be a prejorative exercise, but a training opportunity. Although this seems like a big-business tool, it isn't anywhere near as expensive as you might think - especially when factored against the costs of ransomware, data breaches, or remediation.

  • Reward. The Verizon report found that fewer than 3 percent of employees who got a malicious email via sanctioned testing alerted management. That's another good-news, bad-news situation. Rewards don't have to be financial (although those are nice too), but they matter to employees. A mention in an employee email blast: "Kudos to Nancy for alerting us to a malware threat last week!" In a hectic and demanding world of work, who doesn't love a public pat on the back?

More tips and links are available online from Stay.Safe.Online. Throughout October, information to help your business (and your family) navigate our connected lives safely, securely, and confidently will be getting a great deal of exposure. Look for #CyberAware to find resources and practicioners, like Portfolio, who can help.