Dysfunctional technology is often the first thing that people blame when there’s a data breach, but studies have consistently shown that human error is behind the majority of cases. In fact, one of Connecticut’s biggest breaches was accomplished by a scammer pretending to be a school superintendent who was requesting teacher W-2s.
Choosing the right technology is critical to enforcing your cybersecurity policies and data safeguards, but it’s only as effective as your employees are at using it. This is also why many industry regulations, such as those in healthcare, require organizations to provide ongoing security and privacy awareness training to employees.
Everyone in your organization who handles confidential information, either in printed or digital form, needs to be trained not just to follow security policies, but also to identify and report potential threats. You must create a culture of accountability in which every member of your team understands what the threats are and their obligations when it comes to protecting data.
Understanding social engineering scams
Last year, Verizon reported that 90% of data breaches could be traced to social engineering scams, usually some form of phishing. What’s especially notable about this statistic is that almost all incidences of data theft, ransomware and other cyberattacks don’t rely on vulnerabilities in technology itself, but on plain old human negligence.
Social engineering scams work by duping unwitting victims with company privileges into taking a desired action. If successful, there’s no reason your technology solutions would prevent a trusted employee from sharing information he or she can access.
Technical measures like spam-filtering and multifactor authentication greatly reduce the incidences of these scams, but there’s still no substitute for employee training. Your staff needs to be familiar with all kinds of scams, including those that have been carefully crafted to fit a single victim. Would your employees think twice before responding to an email that seemed to come from you and asked for private information?
Enforcing strong password management
According to a recent study, over 80% of Americans admit to using the same login credentials for multiple accounts. That means if your company has 35 employees, 28 of them are probably using the same password for Facebook as their work email. Passwords get hacked all the time, and when employees reuse them, one breach is all it takes to compromise dozens of accounts.
On top of that, a surprising number of people don’t even secure their mobile devices with a PIN code, despite the fact they use them to access email, shop online, and check bank accounts. As the number of your employees grows, so does the likelihood that one of them leaves their phone unattended and someone picks it up to read company emails.
Beyond mobile devices, your login and data access policies should be clear, since they mean nothing if your employees ignore them. Everyone must enable features such as multifactor authentication and unified logins, which make it harder for unauthorized parties to access company data with stolen credentials.
Using real-world examples to illustrate the threats
Taking an academic approach to cybersecurity training is a costly mistake. You’ll see better results using real-world examples, tests, and simulations to illustrate the likelihood of certain threats, rather than focusing on forgettable statistical information and lists of rules and regulations.
Every security-awareness program should be dynamic, scalable, and tailored to the unique challenges of your organization’s data. You should be demonstrating real threats by conducting phishing simulations and penetration testing that take into consideration the actual computing resources that your employees rely on every day to do their job.
Armed with this first-hand knowledge and experience, you’ll have what it takes to turn your team into the first and last line of defense against a multitude of threats.
Charles IT helps small- to medium-sized businesses in and around Middletown with tailor-made technology solutions and ongoing training and support. Contact us today if you’re ready to transform your IT environment for the better.