As businesses are spending millions of dollars on technology and software to protect themselves from cybercrimes, they may be missing a leading cause of cybercrime by not investing their money in training their own employees.
Human error is the leading cause of cybercrimes, according to BakerHostetler’s 2016 Data Security Incident Response Report. Some of the most prominent companies learned that all too well in the last calendar year, as costly mistakes by their employees left their business vulnerable to hacks.
In the spring of 2016, Snapchat was the victim of a phishing scam, where hackers posing as the CEO convinced an employee to email them the personal information — IRS Form W-2 data — of about 700 current and former employees of the organization. This included employee names, Social Security numbers, wages, stock-option gains and benefits. Shortly after the information was released, the employee realized that the original request was not legitimate. Everyone affected by the scam was quickly notified and offered free credit monitoring and identity theft insurance.
A human mistake was also the leading cause of a recent breach of Premier Healthcare, a multispecialty healthcare provider. After the billing department failed to secure its computers, a laptop computer was stolen from its headquarters. The electronic protected health information (ePHI) that could have been accessed from the single laptop could affect roughly 200,000 patients. The laptop was password-protected but not encrypted.
Employees reported the stolen laptop as soon as they realized it was missing, and the company took a number of steps to locate the laptop and identify the thief, including notifying patients and filing a police report. Fortunately, the laptop was returned and a comprehensive forensic analysis revealed the laptop had not been powered on since it went missing.
This year, Snapchat, Premier Healthcare and every other business big, medium or small, must invest in cybersecurity protection. They have to prepare their employees for the worst.
Here are three cybersecurity resolutions that offices need to make going forward:
(Photo: Shutterstock)
1. Train employees with gamification.
In addition to sending around a list of dos and don’ts on how to prevent cyberattacks to employees, companies could get more creative when it comes to training their staff. Businesses should consider using gamification for training exercises to present real-life scenarios to employees.
One way to do this is by having “pretend” hackers try to obtain proprietary information from employees. If an office doesn’t properly react, it could provide as a great lesson for everyone. If they react correctly they could win a prize. Every employee poses a risk, so training each individual is a critical element of cybersecurity.
(Photo: Shutterstock)
2. Testing your response time.
Hackers are always going to be one step ahead due to the ever-changing cybersecurity landscape. In preparation, companies must have a cyber response plan in place and need to be ready to respond to multiple scenarios.
Employees need to understand how to identify risks and the appropriate individuals or departments where they should report findings. In addition, every employee should be taught best practices, like how to create stronger passwords or how to spot suspicious emails, so that they can use good judgement when online. If you suspect something, report it.
(Photo: Shutterstock)
3. Protect your crown jewels.
The most important thing that business can do is identify their “crown jewels,” which are their data assets that are most critical to their organization and customers. Once the crown jewels have been identified, a company’s security team can establish targeted cybersecurity controls to insure this data is secure and recoverable.
While doing this, companies should make sure to conduct a penetration test to find out if their most important assets are vulnerable to hackers. This approach will save time and money. It’s not practical or cost effective to put the same level of protection on all data, so target the data that’s most important to the business.
Christopher Roach is the National IT practice leader and a managing director in the Risk & Advisory Services practice for Cleveland, Ohio-based CBIZ, Inc. Roach can be reached at croach@cbiz.com.
Originally published on PropertyCasualty360. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
