Security software and internal controls are vital when promoting a cybersecurity culture. But training is also of paramount importance, so your people recognize cyber risk and act accordingly.

BPM Partner Fred Rica addresses the importance of promoting awareness about current cyber risks and emerging trends, to foster a cybersecurity culture that protects organizations against risk.

With the technologies available to monitor and mitigate all varieties of risk, today’s CIOs, CTOs and CROs can be forgiven for trusting that aggressively combating cyber risk ensures a safe operating environment.

But ensure is the wrong word. No organization is impregnable. Phishing. Spoofing. Identity and data theft. Ransomware. All sorts of targeted penetrations continue to plague even organizations with robust controls. And, according to Firewall Times, fully 98% of security breaches rely on some form of social engineering to succeed.

Promote a risk-averse cybersecurity culture through cyber awareness

Companies cannot rely only on technology to prevent data loss, identity theft, cyber-hacking and ransomware risk. They must foster a cybersecurity culture of continual awareness. They need to educate executives, staff, contractors and vendors about emerging risks and how to respond to different scenarios.

Social engineering attacks are only becoming more sophisticated and prevalent with the advent of more powerful artificial intelligence — AI aggregates information from across the Web, including from social media platforms, then processes multivariate information to develop more sophisticated attacks at blazing speed.

Anyone with access to an organization’s privileged information can be a target. Individuals with social media profiles that include professional affiliations, work and travel schedules, personal and family information, and more need to recognize that all such information is often unsecured, searchable using “bots” and liable to be used in a social engineering attack.

It is not hard to imagine the nefarious uses that information garnered from innocuous postings on social media sites could be put to by bad actors aided by AI. AI-driven voice imitation software now allows fraudsters to impersonate colleagues, friends and even family members.

Ensure employees recognize top cyber threats

Despite advances in software to address cyber risks, the most urgent security exposure at most organizations continues to be the person fooled by an artfully crafted, apparently legitimate request for information. These people can include an unsuspecting individual who clicks a hyperlink in an email, or an inattentive employee teased to provide data on a fraudulent website.

Attackers can send countless thousands of spoofing emails or phishing attempts. They need only one or two to succeed. An accounting clerk could be swayed by an email written the way their boss writes — that “boss” claiming to be traveling and needing to confirm a bank account number before effecting a wire transfer. One unthinking click-or-send yields vital financial or personal information. And don’t forget the tired road warrior who logs in to public Wi-Fi, and then starts downloading and sending proprietary information over an unencrypted connection.

Organizations also should not overlook controls such as multi-factor authentication, which can mitigate the impact of a successful social engineering attack. One chink in the corporate firewall can mean an attacker infiltrates core financial systems and/or customer data files, stealing data and locking systems down. Then, an organization learns the hard way they’ve become victims of an AI-engineered spoofing effort or ransomware attack.

At best, their bank account may be down $5,000 — or $50,000. At worst, the millions in ransom paid, lost data and halted operations cost companies much more.

Six practices for building a cybersecurity culture

The cyber battle is never won. Every organization is a target, and small and mid-sized companies without large cybersecurity budgets or resources are at disproportionately higher risk. It’s vital to build a cybersecurity culture that embraces robust cyber-awareness training and education programs. Defenses must be constantly evaluated. Are you doing all you can to combat cyber risk? Rules of thumb include:

1. Go slow – Employees should never act immediately in response to a request. Train them to pause long enough to consider the possibility that a request may be fraudulent.
2. Be skeptical – It’s human nature to want to help, and bad actors exploit that emotion. Teach employees to apply a healthy dose of skepticism about requests that seem out of the ordinary.
3. Ask permission, not forgiveness – Teach employees to fight the urge to act alone and execute. Employees should solicit advice and a second opinion about anything problematic.
4. Ask, learn and empower – Learn from what employees say they see in their inboxes. Coach them on varieties of deep-fake exploits. Ensure they know cybersecurity is worth the time they take to counter it.
5. Follow procedures – Develop processes and controls to define “normal” and address risks, identifying those most critical; examples include double-checking approvals on any fund transfer, prohibiting same-day wires and ensuring data exchanges are secure. Well-documented and distributed procedures relieve employees of the burden of making potentially critical security decisions by prescribing responses to common social engineering situations.
6. Plan your response – No one can eliminate all cyber risks, but having a cyber-incident playbook for business continuity and responding to a data breach or ransomware attack is vital. Doing so limits damage, simplifies decision-making and lessens costs.

If you’ve been hacked, you know what the risks are. If you haven’t, assume you will be. Today’s organized cyber criminals and state-sponsored hacking “mills” have only become more dangerous since the U.S. Department of Homeland Security and the began promoting October as National Cybersecurity Awareness Month 20 years ago. In the last decade, the effect of AI on social engineering reconnaissance by bad actors — including exploits such as so-called deep fakes — has only become more profound.

Savvy people make the organization resilient. Leaders must set the tone for a risk-aware cybersecurity culture, in how they message about cybersecurity and in how they “walk the talk.” Employees attuned to risk, who know their responsibilities and who exercise good judgment markedly reduce an organization’s attack surface. To achieve such awareness across the business, ongoing education is key.

For more information on cyber-risk mitigation strategies, contact us.