Cybersecurity is an issue that affects every internet user, and every business that operates on the web. Despite this, many businesses do little or nothing to protect themselves, or their customers, from cybercriminals, leaving them exposed.
The companies that build our computers, devices, and software do their best to protect us from cyberthreats by pre-installing anti-virus software, and outfitting our operating systems with firewalls. However, they can do little to protect us from the human element in every system —ourselves. A small survey of 1007 Australian workers by the insurance company comparethemarket.com.au suggests that nearly half of employees have put their employer at risk of a cyberattack, with medium and large businesses at greater risk than small businesses.
To protect themselves, businesses need to take proactive steps to identify and manage cyber-risks, particularly those posed by their own employees. That means educating themselves and their workers about cybersecurity, and creating procedures and policies to keep sensitive data protected.
Businesses need to understand cybercrime to take it seriously
The first step to dealing with any problem is to acknowledge its existence. Business leaders often simply ignore cybersecurity as an issue because it doesn’t feel real. In many ways, the intangible nature of the internet prevents people from taking it seriously until after they become victims. Even then, businesses often fail to take appropriate action because they don’t know what to do. Before they can fight back against cybercriminals, businesses need to first understand their motives and methods.
What do cybercriminals steal?
Data breaches aren’t one-size-fits-all. In some cases, a criminal might be looking to steal employee and customer data, such as credit card numbers or contact information. Alternatively, others will remotely install ransomware on a business’ devices to lock them down, and then demand a ransom to restore access. Lastly, some criminals might be involved in corporate espionage, hoping to steal competitor’s trade secrets.
How do they operate?
Most cybercrime is committed digitally, through the use of Trojans, viruses, and other types of malware. However, it’s a mistake to assume that good digital data protection is enough. In the end, data can only be as safe as the people who access it every day. Cybercriminals can, and frequently do, manipulate employees to gain access to secure systems —for example by impersonating a desperate employee to get login data. Alternatively, they might attempt to hack into the unsecured personal devices of employees to gain access to their email accounts.
Educating employees about data security
Employees commonly engage in a lot of risky behaviors. This is either because they aren’t aware that they’re putting their company’s data at risk, or because they underestimate the odds that they’ll be targeted. Before they can put a stop to it, businesses need to take the time to teach employees to recognise a security threat when they see one.
The most common risky behaviours include opening email attachments from unknown senders, opening links in emails, downloading apps or unknown software from third parties, and forwarding “viral” emails to friends and coworkers, where the original sender is unknown. Emails, in particular, are a major threat that needs to be taken very seriously. 1 in 728 emails received by Australians are contaminated with malware. That might not sound like much, until you consider that many professionals receive more than that every week. A medium sized company with 60 employees can easily expect to receive a few malware attachments or links every day.
Introduce procedures to protect sensitive data
While educating employees about data security risks is a helpful step, it’s not enough. Ultimately, employees are individuals whose curiosity will prompt them to sometimes open an attachment, whose empathy will prod them to help a coworker in a pinch, and who might have work-related data on their personal devices. Policies and procedures provide employees with clarity on whether and how to respond to different situations in a way that will minimise data security risks. For example, employees who want to know what’s behind a link in an email can be trained to test these using a third party app before actually opening them.
The key to managing data security risks is to understand that employees may have vulnerabilities just as a business’ computer systems might. By taking the time to focus on the human aspects of cybersecurity, businesses can turn their employees into part of their cybersecurity solution, rather than a potential liability. Well-trained employees who follow clear procedures, for example, can be helpful in detecting cyberthreats, allowing businesses to respond quickly, and to take technological measures to head off future threats.