Back in April, 2016, the U.S. Federal Bureau of Investigation warned about a “dramatic” uptick in CEO fraud, e-mail scams where the attacker sends a message that looks to be from the boss, asking someone at the organization to wire funds. According to the FBI, these scams have resulted in more than $2.3 million in losses in the last three years alone. Since January 2015, there’s been a 270 percent increase in victims and losses, according to the FBI.
“The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy,” according to the FBI press release.
This begs the question, does your company’s biggest security threat work in the office across the hall?
It’s quite possible.
A report from Kaspersky Lab released in November seems to corroborate.
More than 4,000 businesses from 25 countries were surveyed for the Business Perception of IT Security: In the Face of an Inevitable Compromise. According to the results, North American businesses claim two of the top causes of the most serious data breaches they’ve encountered came about because of careless or uninformed employee actions (59 percent) and phishing/social engineering (56 percent).
“The most important finding is the companies’ points of vulnerability: threats like employee carelessness and data exposure due to inappropriate sharing of device theft,” said Veniamin Levtsov, vice president, enterprise business at Kaspersky Lab. “Such challenges cannot be addressed by a technology or algorithm, instead they require better employee awareness and regular training.
The stats vary, but it’s estimated between 60 and 95 percent of all security breaches involve human error.
You can invest in the latest and greatest security all you want for your company, but it won’t matter one bit if your employees don’t buy in.
In short, teach them why they should care. Show them why their actions matter, and how their choices can impact the company, the company’s bottom line, and their own lives, otherwise they are likely to ignore your missives.
Michael Madon, a cyber security leader, CEO of Ataata, a security awareness platform, and the former U.S. Treasury’s Deputy Assistant Secretary for Intelligence Integration was interviewed in this recent Forbes story:
“Too many companies are looking for a technical solution to what is essentially a human problem,” Madon said. “Products can certainly help protect data and networks. But even the most sophisticated technology can only reduce exposure so much when a company’s biggest security risk works in-house.”
The Federal Communications Commission agrees.
“Failure to give attention to the area of security training puts an enterprise at great risk because security of business resources is as much a human issue as it is a technology issue,” according to the FCC’s Cyber Security Planning Guide. “Technology users are the largest audience in any organization and are the single most important group of people who can help to reduce unintentional errors and IT vulnerabilities.”
With that in mind, it’s certainly worth setting up a mandatory security awareness training that will teach employees to understand system vulnerabilities and present threats to business operations that come along with using a computer on a business network.
Remember, users might include not only employees, but also contractors, guest researchers, visitors, guests, and other associates requiring access.
The Cyber Security Guide recommends that users:
- Understand and comply with security policies and procedures.
- Be appropriately trained in the rules of behavior for the systems and applications to which they have access.
- Work with management to meet training needs.
- Keep software and applications updated with security patches.
- Train employees about actions they can take to better protect company information.
Train Employees on the Following Issues:
– Proper password usage: Complex passwords are a must and best practices recommend using a password manager.
– Data encryption.
– Data backup: Make sure the right systems are in place for back up and that it is done regularly.
— Physical access and security: Don’t allow employees to let others access their computer or devices. Don’t ever leave mobile devices in a car or somewhere the public can access.
– Software installation and patching: Only allow installation of software that’s being used for business purposes. Install all security patches.
– Proper antivirus protection: Set updates to install automatically.
— Computer firewalls should be turned on.
– Report any suspected incidents or violations of security policy.
– Follow rules established to avoid social engineering attacks and deter the spread of spam or viruses and worms. Beware of phishing schemes. Show employees phishing examples so they’re better able to recognize them when they should up in the inbox.
— Don’t use USB flash drives as it could contain malware.
Sensitive Data vs. Non-Sensitive Data
It’s also important to clearly categorize sensitive data versus non-sensitive data.
Typically, the following data are considered sensitive information that should be handled with precaution:
- Government issued identification numbers (e.g., Social Security numbers, driver’s license numbers)
- Financial account information (bank account numbers, credit card numbers)
- Medical records
- Health insurance information
- Salary information
A training should cover “security policies for all means of access and transmission methods, including secure databases, email, file transfer, encrypted electronic media and hard copies,” according to the FCC recs.
Whatever you do, don’t rely on just one training session to get across this critical information. Company owners and execs should constantly emphasize how critical data security is to the business and its ability to function. When notable data privacy and security related news is published, be sure and share the information as a reminder to your employees. Regularly schedule refresher courses, perhaps as much as quarterly, and make them mandatory for all employees. KrebsOnSecurity blogger Brian Krebs goes so far to recommend testing its employees, akin to secret shopping but with security in mind, in this 2016 post about the FBI’s CEO scam warning.
“Remember, the attackers are constantly testing users’ security awareness. Organizations might as well be doing the same, using periodic tests to identify problematic users and to place additional security controls on those individuals,” Krebs writes.
In short, do whatever it takes to instill a culture that puts data security first.
When a small company has a data breach it causes severe damage to the organization, its employees, customers and reputation. LibertyID for Small Business prepares you with prevention planning, a crisis response plan and fully managed identity theft restoration for your employees and for your customers should you experience a data breach. When a data breach happens, our team of specialists goes to work. Visit libertyidforsmallbusiness.com.