(Photo Courtesy of Web Mentors)
Cybersecurity failures, where attackers gain illicit access to information systems, represent a serious threat to small businesses and our local economy. To put the problem into perspective, according to the FBI’s annual internet crime report, the average cost of a data breach is now $3.8 million and this is only expected to increase. So what exactly is contributing to this growing problem? You may be surprised to learn it’s not a technology problem, its human. In fact, you and your employees are probably the weakest link in your organization’s cybersecurity landscape. This suggests that annual risk assessments, effective security policies and ongoing security training are important to safeguard business data, systems and their continuity.
For example, ransomware is the most significant malware problem in today’s threat landscape. It infects computers, encrypts all data files and then displays a ransom message promising a decryption key in return for payment. Although initial versions of ransomware targeted data on a computer, recent variants spread in just minutes across entire networks and target operational data. CyberCrime magazine estimates the global cost to businesses and individuals of ransomware in 2017 exceeded $5 billion.
Let’s consider one reason why ransomware is such a problem to help illustrate how behavior contributes to the security problem.
Phishing is the primary attack vector for ransomware, where an email contains language that conveys urgency, for example ‘We detected unusual activity on your account, click to view details.’ This type of social engineering is effective because individuals are prone to use familiar patterns or ‘scripts’ when they engage with technology like their email. Most likely you will use a script of your own each time you scan your email inbox. These scripts help us efficiently deal with new messages using minimal cognitive resources. Unfortunately it only takes one overworked employee to reflexively click the phishing link or attachment which can install a malware payload that infects the entire organization.
So what should you do? The first step is an annual cyber security risk assessment conducted by a qualitied professional to identify what is important to safeguard and the most likely threats to their continuity. Next, the results of this assessment inform the company policies. An organization with a written policy governing technology usage that is updated annually is less likely to have a catastrophic cybersecurity incident. Finally, regular employee security training, e.g. anti-phishing and ransomware helps promote awareness. When employees are aware their behavior could be risky, as in dealing with email that has an attachment or link, they are more prone to behave thoughtfully and deliberate instead of following a routine script that is easily hacked.
Although there’s no foolproof way to prevent a cybersecurity incident like ransomware, an effective cybersecurity approach decreases the likelihood of an attack and importantly minimizes the consequences should one happen. An unprepared organization may lose all their data and consequently go out of business after a ransomware attack, but a well prepared one can be back up and running in hours.
Michael Curry (michael@webmentors.com) is the president of Web Mentors, which provides e-business services, including cyber security assessments and training. He has a doctorate in business and is the primary author of the ‘InfoSec Process Action Model (IPAM): Systematically Addressing Individual Security Behavior,’ a new theoretical approach to addressing cybersecurity published in one of the leading international security journals, the DATABASE for Advances in Information Systems https://dl.acm.org/citation.cfm?doid=3210530.3210535.
