Cyber month is here, and so are Fall smells and sounds. The goal of cybersecurity month is to raise awareness, and give individuals a greater sense of their own role in protecting people and businesses. This year’s theme is “See Yourself in Cyber,” and is a reminder that despite regulations, anti-virus software, and all the other protections in place, the reality is, cyber is all about people. People are the beginning and end of most cyber issues, for better or worse.
The Spooky Reality:
- Verizon’s 2022 Data Breaches Investigations Report (DBIR) revealed that 82% of data breaches occur due to the human element
- According to the FBI’s Internet Crime Report 2021, the federal agency’s Internet Crime Complaint Center (IC3) received 847,376 complaints (up 7%) last year that caused losses of nearly $6.9 billion
- The Internet Crime Report 2021 noted ransomware and business email compromise (BEC) are two of the most commonly reported cyberattacks
What do all of these statements mean? That hackers rely on humans to execute cyber crime. The hard truth is that our best resource, people, can be our biggest liability when it comes to cyber incidents. So what can we take away from these startling statistics and how can we improve our cyber readiness? The simple answer is culture, training, and focusing on people!
Let’s talk about action, things you can implement today to avoid becoming a cyber statistic:
- Get the lay of the land– Do you have cyber policies for company equipment? Do you have training for employees at all levels of the organization? Do you have a detailed list of the hardware and software in your organization? If the answer is yes, you’re off to a great start, these metrics provide an important starting point. If the answer is no, don’t fear, simple steps can get you here! Start with a plan; create a list of hardware and software that is permitted in your organization. Next, create a training plan, what to train, who to train (everyone!!), and how often to deploy initial training and refreshers.
- Focus on the culture- Does the CEO or owner of the company attend training for cybersecurity? Do all managers have to complete cybersecurity training? Do you avoid training workers who “don’t use much technology”? The reality is that far too often cybersecurity is not a top-down initiative. Requiring only middle managers to complete training is a real missed opportunity. Sure they can relay information up and down the ladder, but the true definition of a solid cybersecurity posture is involving all staff, from the CEO on down to the most junior employees. If the whole organization knows that cybersecurity is a priority, all parties will better understand their role in keeping the organization secure.
- Bring cybersecurity to them- As we discuss and implement cybersecurity measures, it is important to relate that information in a way that is understandable to all employees. Not only in the terminology, but citing examples of how cybersecurity impacts small businesses. Sure the Target hack or the Colonial pipeline hack are big (and important) news stories, but do they hit home for a company of 12 employees? Probably not, but when we use common sense terminology, and relate cybersecurity stories from small and midsize businesses, our employees can see themselves as a part of the problem (and hopefully) the solution.
- Train, refresh, retrain- It may sound redundant at this point, but I should repeat the statistic I started with, “Verizon’s 2022 Data Breaches Investigations Report (DBIR) revealed that 82% of data breaches occur due to the human element”. What does this really mean for your small business? That a company can purchase the right security equipment and software, have good policies in place, and still get hacked. Why? Because the emphasis of most cyber defenses is in machines, software, and third parties, yet the data tells us that more than 8 out of 10 cyber breaches are the result of human error. The training element is vastly underutilized as part of a holistic cybersecurity posture. We are oddly focused on investing in firewalls, anti-virus software, and other costly security measures, while the data tells us that investing in people is the biggest shortcut to cyber safety. Allocate time and resources to the single biggest attack surface of your organization, the amazing people who work with you!
The short story is, cybersecurity is really all about people. It starts with awareness of the threat, policies to manage the threat, and instilling a culture of security, top to bottom. Focus on the people you employ, the threats they face, and the best methods for avoiding cyber attacks.
Not sure where to start? Check out the best free resource designed specifically for small businesses: