Home  >  General / Resources / Technology

Cyber Crime-Fighter by day…

The Importance Creating a Culture of Cybersecurity

As organizations who support a variety of needs for people with intellectual and developmental disabilities, you do great work on a shoestring budget every day. Some of you have provided services for years, building a reputation as a trusted and respected agency in the field. But, are you doing everything you can to protect your organization, its data, employees, and clients, from cybercrime?

We live in a world that is far more technologically advanced than it was even a decade ago. Need proof? Consider the fact that the iPad has only been around since 2010, and smart phones came out just a few years before that. Broadband speeds are almost five times faster than they were 10 years ago, making it possible for us to do far more online. But, the rise in the use of technology also brought with it a rise in cybercrime, because the possibilities and potential rewards for cybercriminals are plentiful and great.

Your organization takes security seriously. You implement firewalls, comprehensive cybersecurity defense systems, and sophisticated IT protocols to stay safe from online threats. But, unless there is an embedded culture of cybersecurity awareness across the entire organization, all of the expensive equipment and software solutions are about as effective as an umbrella in a hurricane.

Did you know that 95% of cybersecurity breaches are caused by human error? The truth is, an organization’s employees are its weakest link in the cybersecurity chain. Cybercriminals know that the easiest way to access secure networks or steal data is to target people who already have access and steal their login credentials. This is where cybersecurity awareness training comes into play – empowering employees to protect themselves and the organization from cybercrime.

Think of cybersecurity like an arms race with both sides constantly evolving their weapons and defenses. On one side, every single day the cybercriminals are coming up with new phishing techniques, creating new and increasingly dangerous types of malware, and searching for new vulnerabilities to exploit. On the other side, the good guys need to develop measures to protect against new threats, continuously update security software, patch software and operating systems regularly, stay vigilant when on the web, and educate everyone in their organization about new threats, so they don’t fall victim to them.

Gone are the days of annual ‘one-and-done’ security training. A successful security strategy is one that is continuously evolving. Cybersecurity awareness as an organizational philosophy ensures your employees (your front line) are properly trained and equipped, and not left holding a sword and shield to protect us against a fighter jet. Cybersecurity is a team effort and needs to go from the top, down. It should be considered as an integral part of business as usual.

Creating a culture of cybersecurity awareness is not as daunting a task as it may it seem. Here are some recommendations that can immediately improve your organization’s security disposition:

  1. Forget Your Password with a Password Manager
    Thanks to cloud applications and web resources, most of us are juggling a considerable number of accounts on a daily basis. There’s simply no practical way for your employees to memorize such a large quantity of unique, complex passwords. They’ll either repeat the weak passwords they already have across agency accounts, or they’ll create new passwords that they have to write down somewhere in order to keep track. Neither of these options are acceptable because both put your organization at major risk of a breach.

    More statistics – in 2019, 80% of hacking-related breaches were caused by compromised, weak, and reused passwords. According to OpenVPN, 52% of users reuse the same password for everything.

    How many applications is your organization, as a whole, using to perform their duties? And how much of your agency’s information is spread across all these accounts? Scary, isn’t it? One person’s weak password has the potential to compromise not only an entire organization’s data, but also the data of those served by that organization. Remember this simple adage: the best possible password is one that even you don’t know.

    Eliminating weak or redundant passwords is the first step your organization should take. Consider implementing a password service (like DashLane or LastPass) agency-wide to generate and autofill complex passwords. Standardizing password management software expands responsibility and risk in a visible, automated way.

  2. Train Your Employees… Then Go Phishing
    Prevention is only possible by training and preparing users against the variety of threat scenarios that impact organizations. The best training is live training where you can see who understands and who needs more help. After training, you can simulate phishing attacks at your organization so you will be better prepared for real attacks. Microsoft’s Attack Simulator and KnowBe4 offer free programs that gauge your organization’s awareness and response to hacking attempts. Regular phishing attack simulations will not only reinforce training for your users, it will also give you insight into how well they’ve been trained so your training program can continue to evolve.

  3. Keep Multiple Lines of Communication
    Phishing emails don’t always come from strangers. They can often come from friends and co-workers. If you receive a request for sensitive information — a routing number, login information, password verification, or even access to a document — it’s always best to reach out to the sender through a different route to confirm that the message isn’t fake. For example, a coworker sends you a request for sensitive information in an email – you should call or text message them to ensure the validity of their request.

  4. Use Multi-Factor Authentication (MFA)
    The more barriers we put in place, the more difficult it will be for cybercriminals to infiltrate our data infrastructure. Technology like multi-factor authentication can significantly reduce the likelihood of a breach, and yet only 10% of Gmail users use MFA.

    Remember, the idea is to reduce risk by creating layers of protection. Imagine your organization’s data are priceless jewels. You put those jewels into a locked box. Then you put that box into a locked chest and shut it all inside a locked vault.  Each of these locks has its own unique key (password). In other words, a hacker might be able to get past one layer of defense, but additional protection measures you put in place can make it harder for the wrong people to get to your precious data. That’s why we often have to go through multiple steps, such as entering a password to access our computers, another one to access specific applications or services, then we need to verify our identity using 2-factor-authentication.

    Creating a successful MFA program is essential. It’s also important that employees understand why it’s essential, so make sure they do.

  5. Don’t Use Public WiFi
    The rise of cloud computing in the workplace means that work can take place outside of the traditional office setting. But, many organizations haven’t yet developed policies to address work from an alternate location, or if they have, those policies often don’t address security. Connecting to public WiFi in a cafe, airport, or hotel is the same thing as disabling your security. Suppose you’re sitting in a coffee shop and you want to get on the internet so you can send out a quick email. For one thing, you can’t be certain it’s a legitimate WiFi network that you’re connecting to – it could be a cybercriminal using a hotspot to spoof the coffee shop’s WiFi, tricking unsuspecting users into connecting. Once connected to the fake WiFi, the cybercriminal has access to your computer and everything on it. So they can steal your data and your credentials, or they can transfer malicious worms to your computer that will log your usernames and passwords and send them to the criminal (all without your knowledge).

    If connecting to public WiFi is absolutely necessary for any of your employees, your organization’s policy should stipulate that they must use a VPN (Virtual Private Network) to secure their connection.

  6. Don’t Ignore Application Updates
    Cybercriminals love hardware that’s running outdated software. They use weaknesses in software and apps to attack your devices. Software and app updates may feel like a hassle, but they are actually designed to fix these weaknesses and installing them as soon as possible will keep your devices secure.

Cybersecurity awareness is an investment of time and money, but a very worthwhile one. When it comes to considering the cost of cybersecurity and cybersecurity awareness training, it’s easy to argue that there are bigger battles to fight. But, here’s the thing: one successful data breach could destroy your organization’s reputation and effectively put it out of business. Financially, the costs to recover from a data breach could be insurmountable.

If that thought keeps you awake for the next few nights; I’m glad. It’s not that I want you to lose sleep, but I do want you to understand the threat is very real for all of us; it doesn’t only happen to Fortune 500 companies. Cybersecurity must be the responsibility of your entire organization. Creating a culture of cybersecurity awareness empowers all employees to be cyber crime-fighters, proactively protecting your organization from cybercriminals.

Categories:GeneralResourcesTechnology

Tags:

Leslie Dollman

Leslie is the MIS Administrator at Milestone HCQU West.

Related Posts

Verified by MonsterInsights