Employees on the front lines of protecting critical dataReprints
Companies spend millions keeping hackers out of their systems, but just one nasty phish can devour that hard-earned money.
Employees who fall for phishing scams can be unwitting aids to cyber criminals who bypass security measures and wreak costly havoc on a company's information systems.
Stamford, Connecticut-based market research firm Gartner Inc. said worldwide spending on information security reached $75.4 billion in 2015, up 4.7% from 2014. Business disruption was the highest external cost of cyber crime, according to a 2015 report by the Traverse City, Michigan-based Ponemon Institute L.L.C., followed by the costs associated with information loss.
Analysts have several recommendations to keep hackers out of the corporate system, such as constant training and education of all employees — including the C-suite.
Matt Chmel, Chicago-based assistant vice president at Aon Risk Solutions' financial services group, said having the proper software and systems in place to block phishing emails is critical to prevent data breaches.
“The less opportunities that employees have to click on those links, the less likely they are to do so, obviously,” Mr. Chmel said.
Mac McMillan, co-founder and CEO of CynergisTek Inc. in Austin, Texas, said cyber threats “are not something you're going to solve with a technical fix or putting a Band-Aid on it.”
“You have to think like a bad guy,” Mr. McMillan said.
Among other recommendations, he said companies should strengthen internal security so hackers who do get into the system can't pass the “front door,” he said. Organizations also can block addresses that are known for cyber threats.
He said organizations that run phishing exercises four to eight times a year see the number of people who click on phishing messages drop, and, more importantly, the number of people who do it twice declines even more.
Steven Schwartz, president and founder of Global Cyber Consultants L.L.C. in New York, said “hacking a human is easier than hacking technology,” and he advises companies to move beyond simple training.
“It all stems from the top,” he said. “It's a combination of awareness and motivation. They need to feel like they're part of something. It doesn't matter if you're an intern or the CEO, if you leave your laptop unlocked at Starbucks when you go to the bathroom, you could have the best technology in the world, but somebody is going to have full access to whatever they want.”
Mr. Schwartz said constant training and persuasive techniques can change employee behavior so it becomes instinctive, “like putting on a seat belt.”
“Employees really present the greatest risk to companies when it comes to their cyber security strategies,” said Adeola Adele, employment practices liability product and cyber thought leader at Willis Towers Watson P.L.C. in New York. “Whether a company pays attention to its workforce culture directly impacts its cyber security. Companies, from our perspective, can conduct these training exercises to weed out things like phishing, but at the end of the day, there needs to be a culture of awareness and incentivizing employees to be cyber-secure.”
“A lot of failures we see in the phishing training are from high-level executives or from tenured employees,” Mr. Chmel said. “A lot of the employees feel like they don't need to participate in the training because they already know about the organization. The executives may think they're immune to it because they're obviously at the executive level.”
Robert Parisi, Marsh L.L.C.'s managing director and national cyber risk practice leader in New York, said some firms conduct their own phishing scams to keep employees aware of the problem.
“When I talk to the information security guys,” he said, “they will tell us almost uniformly that the cheapest and, frankly, most effective information security tool they have is basically training the employees and the users about good digital hygiene. ... You're never going to get zero, but if you get to the point of taking away the obvious (attacks), you really make a client a less risky company from the point of view of information security.”
Mr. Parisi said employees also should be aware of suspicious people around the office. If someone is mopping the same section of the floor for an hour, the person is likely a lookout for someone hacking the system, he said.
Hackers have left thumb drives on keychains in company parking lots in the hope that an employee takes it and inserts the thumb in the system to find the owner, only to unknowingly unleash a virus into the system, Mr. Parisi said.
Mr. Chmel said security firms also have used the technique to test employees.
“Send the keys over to lost and found,” Mr. Parisi said. “You don't need to be a detective.”
Mr. McMillan said cyber insurance can be useful for smaller breaches, but serious break-ins can quickly exhaust insurance coverage.
“One of the habits I hate about insurance companies is that they tend to identify companies that organizations can work with,” he said. “They should be focusing on the standards or the principles the organization's security program is built around and the controls that they have.”
Particularly for small and midsize businesses, cyber insurance gives them access to a forensic analysis when there is a loss, which Mr. Parisi said “makes them a better risk for the insurance company.”