October is Cybersecurity Awareness Month, but most business leaders and consumers don’t need a special event to remember cybersecurity’s preeminence in today’s turbulent digital landscape.
Even so, a little reminder can’t hurt.
With the average cost of a data breach surpassing $4 million for the first time and everything from phishing scams to ransomware attacks reaching record highs in frequency and scope, awareness is always just a headline away. That’s why, according to Gartner’s 2021 CIO Agenda Study, cybersecurity is the top priority for more than half of business leaders as they strive to #BeCyberSmart in 2021 and beyond.
When distributing these resources, CIOs and other company decision-makers are balancing several critical priorities and asking difficult questions about their defensive postures: Should they allocate this money to fortifying next generation firewalls to enhance their on-site cyber readiness, or should they direct their cybersecurity budgets to secure inbound connections from their newly remote staffs? Should they invest in people or pursue software solutions?
While software solutions are critical to securing digital infrastructure and company data, businesses will get the most return-on-investment by directing a significant share of their cybersecurity capacity toward an oft-overlooked priority – their people.
One industry study found that a “human element” plays a critical role in 85 percent of data breaches and cybersecurity incidents, making it an obvious place for businesses to invest their time, talent, and financial resources. More specifically, here are three ways any company can guard against insider threats:
1. Acknowledge and defend against malicious insiders
Company insiders, including employees, contractors, and other trusted third parties with access to company IT, often operate with the de facto trust of their employers. After all, these people are compensated by the company, and their day-to-day operations should support organizational objectives and growth efforts.
Unfortunately, some trusted insiders will become threat actors. Often motivated, in some part, by financial gain, malicious insiders compromise digital infrastructure, undermine data privacy, or steal company secrets. While every malicious insider harnesses their privileged access to enact harm, their actions are often unique, including:
- A Tesla employee intentionally sabotaged the company’s internet networks, transmitting sensitive information to a third party
- A Facebook engineer used privileged access to stalk a woman online
- A Suntrust Bank employee downloaded the personally identifiable information (PII) of 1.5 million customers.
In response, every company can enhance its cybersecurity posture by acknowledging the potential for malicious insiders to compromise cybersecurity. User activity monitoring and behavior analytics can give cybersecurity professionals the insights they need to stop malicious insiders in their tracks, but companies must first acknowledge the risk before they can respond with the right solutions.
2. Educate employees and promote accountability
Companies don’t become cyber smart by accident. In fact, cybersecurity is rarely top-of-mind for the average employee as they go about their day and pursue their professional responsibilities. Therefore, businesses are responsible for educating their workforce, training their teams to identify and defend against the latest threat patterns.
For instance, phishing scams have increased significantly since the pandemic’s onset, and each malicious message threatens to undermine data integrity. Meanwhile, many employees can’t identify these threats, and they wouldn’t know how to respond if they did.
Of course, education isn’t limited to phishing scams. One survey found that 61 percent of employees failed a basic quiz on cybersecurity fundamentals. With the average company spending only 5 percent of its IT budget on employee training, it’s clear that education is an untapped opportunity for many organizations to #BeCyberSmart.
When coupled with intentional accountability measures that ensure training is implemented, companies can transform their unaware employees into incredible defensive assets.
3. Prevent accidents and eliminate carelessness
Accidents happen, so companies need to develop the capacity to identify accidental data exposures and correct the behavior as quickly as possible. AI-powered behavior analytics can help IT leaders in this capacity, differentiating casual alerts from high-leverage opportunities to thwart a breach.
Meanwhile, leaders should be careful not to conflate carelessness with accidents. For example, “123456” and “password” are two of the most popular password combinations despite their obvious flaws, and when these accounts are compromised, it’s because of carelessness, not an accident. Similarly, employees shouldn’t have the power to neglect simple best practices, like two-factor authentication or VPN services, that keep accounts and company data secure in a variety of vulnerable environments.
Instead, businesses need insights into their employees’ digital activity to identify and correct careless behavior while holding people accountable for their actions. With the heightened stakes of today’s online environment, businesses can’t afford to require anything less.
This October is an opportunity for businesses of every size in every sector to reevaluate their cyber readiness. Many will not like what they find. However, improving cybersecurity doesn’t have to be an all-encompassing endeavor, and even incremental enhancements can keep data and IT infrastructure safe from bad actors.
The costs and consequences of a data breach have never been more severe. Let’s take advantage of this month’s reminder to put our best cybersecurity foot forward at this critical time.