Sun Tzu, once stated that: “The supreme art of war is to subdue the enemy without fighting.” and two and a half thousand years later his rhetoric stands the test of time, as today we are seeing this ancient ideal applied in the most modern of battlegrounds: the fight against cyber-crime.
In recent years, more and more firms are realising the exponential threat of a data breach within their organisation. The average cyber-attack costs a business over $1mil , a figure that has made organisations sit up and take note of the true ramifications of a malicious attack. However, businesses also need prepare for data breaches that can occur as a result of employees. While malicious attacks make up a significant portion of incidents, breaches as a result of employees and the extended enterprise make up 65 per cent of all security incidents in the UK .
To tackle both the malicious and accidental threat from within, organisations should have preventative technology in place, but the real key to mitigating the damage of cyber-crime is to educate the workforce on the various dangers they pose to their firm, be it accidentally sharing sensitive data, or Ransomware attacks.
‘Know thy enemy’
As a starting point, employees should have a good understanding of the systems that hold and store sensitive data that within the company and what their responsibilities are in regard to securely processing and sharing sensitive information. A well-trained employee should be able to answer the three data-security questions, ‘What’, ‘Where’ and ‘Why’:
- What data is considered valuable to cybercriminals?
- Where is this valuable data stored?
- Why is this data so valuable, and why is it a potential target?
If an employee can answer these three questions, they will be much better equipped to prevent any attempts by hackers to coerce this information. They will likely question any request for this particular data, would be suspicious of anyone attempting to access that part of the data system, and will understand the potential value of this data, and the need for its protection. Not only is this considered the more effective of the two aspects of cyber-security training, it is also regarded as easier to teach employees what they need to protect, than to teach them who they need to protect it from.
‘Once more unto the breach, dear friends, once more’
The ways in which a breach may occur, and the consequent warning signs may vary from industry to industry, but there are a few frequently occurring symptoms. The average worker may not notice a significant rise in outbound traffic, but if trained correctly, they may question the resulting slower internet speeds. Furthermore, a trained employee would know to be suspicious if they were suddenly locked out of their user accounts, or sent an email asking for financial details. A trained eye may recognise these warning signs, but to an average employee with no training in cyber security, they may assume this is the result of network maintenance, or their frustrating colleague Derrick who always moves files around the system. However, recognising the breach is only part of the battle.
The most important part in responding to a breach is establishing a clear line of communication to raise the alarm. It may be that employees will be encouraged to report such threats to a supervisor with specialist training in differentiating real breaches from accidents or false alarms. Alternatively, employees may be instructed to simply pass on warning about any possible breach directly to the IT department. The breach notification chain may vary from firm to firm, but what is essential is that a solid protocol is established and employees are educated on what to do in preparation for such a threat.
‘Knowing the rules of engagement’
Most data losses are the result of accidental data leaks, but employees can be easily trained easily to significantly mitigate this threat. When an internal breach occurs, employees are reluctant to blow the whistle on themselves, often hiding the issue whilst they attempt to rectify it. In addition, those who unknowingly facilitate an attack (be it through phishing, malware or even social media), are usually reluctant to raise the alarm in fear of punishment.
This is arguably one of the most common – and indeed, problematic – issues surrounding data breach mitigation. As any cyber security specialist can testify; the longer it takes to identify a threat, the more damage that threat can do. Time is of the essence in dealing with breaches, and if an employee is unwilling to come forward until the threat is discovered, significant damage may have already been done.
To combat this, organisations must reassure workers that they will not face consequences for reporting accidental data loss or interacting, for example, with a phishing email. An environment must be created where employees feel safe to report incidents so they can be resolved quickly. To achieve this, organisations need to encourage employees to come forward and ultimately making them feel part of the ‘bigger picture’; improving the company’s security posture.
‘Sometimes, you have to fight a battle more than once to win it’
Bear in mind that, whilst training your workforce to a higher standard of cyber security and adopting a supportive breach-reporting environment, will undoubtedly have a significant impact on the strength of your cyber security. Over time the standard of your workforce’s defence will degrade. This is mainly as a result of changes in the operation of the organisation, and also in part due to human nature. Organisations must remember that changes to data storage, or new protocols on data sharing will require a refresher course on the ‘three questions’. Being proactive about training staff on new technology which may present a new security risk to your organisation that your workforce may not be aware of.
Furthermore, firms must remember that humans are inherently fallible, and that as time goes on without any problems, many workers will lose their caution; a well-documented fallacy known as ‘Normalcy Bias’. In addition to this, canny workers will often find workarounds to their training in the pursuit of speed, ease and efficiency, therefore negating the effectiveness of that layer of security. For all these reasons, it is essential that a firm recognises that training against cybersecurity is a continuous process, with training sessions occurring frequently to make sure that all staff are up to date.
‘Sic vis pacem, para bellum’
Staggeringly, although 70 per cent of medium/large UK firms reported a significant data breach during 2017, less than 50 per cent have trained their workforce in adapting to this new age threat. Clearly, the need for a cyber-threat educated workforce is greater than ever, although businesses must remember that this is only one facet of a strong cyber defence.
A truly strong cyber defence should incorporate tiered security, with multiple layers of defences such as; a firewall, multi-factor authentication, data loss prevention technology, and of course, a well-educated workforce. As the ever prescient Sun Tzu surmised, “The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him.”
Dr. Guy Bunker, SVP of Products, Clearswift
Image source: Shutterstock/Andrea Danti