“Ultimately, the security chain is as strong as its weakest link and once a cybercriminal has compromised one account – even a junior employee – they can then leverage that account and move upwards through the organization, eventually getting to the final target like the CEO or CFO,” Mark O’Hare explains.
That’s why everyone, from the executive suite to the front desk and back office, needs to be involved in promoting and protecting cybersecurity.
Here are five steps to get started:
1. Identify a project champion and leadership team.
“Cybersecurity should not be an afterthought, it needs constant focus and attention to be effective,” O’Hare says. “Without a high-level champion there is no backing of the security program and it will lose its effectiveness.” The champion should have the trust and the ear of the executive team and can secure the necessary financial and human resources. S/he must have a stake in the project’s outcome, such as performance or outcome accountability. A project leader or manager handles the strategic and tactical work of a team charged with developing and executing cybersecurity communications and training. Build out the team with employees from different departments and at different organizational levels to ensure a diversity of insights during the planning process. This also shows employees that this is truly an all-organization endeavor. It’s especially important to have someone from training and learning/human resources and public relations on the team since they are your internal experts on teaching and communicating.
2. Perform a threat assessment and internal audit.
This is the best way to understand the kinds of threats aimed at your organization, and gives you a clear sense of vulnerability to them. Your IT team may be able to perform these tasks, but the American Institute of Certified Public Accountants (AICPA) encourages organizations to work with an outside vendor specializing in cybercrime. The review should include encryption and archiving requirements, data residency, and the technology and processes related to privileged credentials, email wire transfer requests and the sharing of personally identifiable information via email.
At the very least, launch an email threat assessment audit of your existing email security system to understand how many suspect emails – garden-variety spam or bona fide attacks – are getting through. Recent email security data from Mimecast shows that 24% of “OK’d” emails are actually suspect, and a lot of those include malware, and impersonation attacks.
3. Review general risks.
Make sure your staff is familiar with the most prevalent forms of email-based cybercrime, such as:
- Ransomware. This malicious software takes control of your computers or its data when a user clicks a malicious link, downloads a file or opens an attachment, so the cybercriminals can demand ransom money to get regain access. Ransomware attacks like WannaCry and Petya showed us that organizations of every size are at risk. “People who say, ‘I’m not doing anything interesting, I don’t have anything that hackers would want.’ – it may not matter,” notes Jamie Winterton, director of strategy at the Global Security Initiative at Arizona State University. “Your system has the right kind of profile, and could be locked up whether you’re an individual or a small business or a huge company.”
- Email Impersonation Fraud (Whaling). Savvy scammers can easily impersonate a CEO or senior member of your organization by scanning social media accounts, websites and search results to create authentic looking and sounding emails requesting everything from wire transfers to highly valuable information like W-2 forms and other confidential information. While any top-level executive is at risk of being impersonated, the CEO, CFO, and chief legal counsel are the most frequently spoofed in a whaling attack.And not just at large organizations. Even small companies and nonprofits should be on the lookout for this kind of fraud. “You should not feel immune because you are the most vulnerable and the least knowledgeable about it,” says Jessica Robinson, CEO of New York-area security firm PurePoint International.
- Email Wire Transfer Fraud. The data shows that a lot of well-meaning employees are falling for this kind scam, in which an email from an official-looking source, such as a long-time external contractor or an internal colleague, requests a wire payment. Sometimes, scammers say they’ve switched banks, and offer new routing information to their bank (and not your vendor’s). Frequently, fraudulent internal requests are time-boxed so the recipient feels a lot of pressure to comply with the request, often skipping important verification steps. Implement a strict policy on how, when, and can wire transfers be done. “Do not rely solely on the email, do not rely solely on a phone call -- also known as vhishing, for Voice Phishing or VoIP Phishing,” says Mimecast’s Product Marketing Manager, Security, Bob Adams. “There needs to be a protocol in place to allow, authorize, and process a wire transfer within the business.”
4. Include personal risks. Get more buy-in from staff by including tactics that threaten their personal accounts, such as how to protect your Gmail and Facebook accounts, per O’Hare.
5. Focus your efforts. Develop awareness and training programs that address your known and anticipated vulnerabilities and threats. Your goal is to give people enough information to be vigilant about cybercrime without feeling like it’s too big a problem to address, or that they’re going to make a giant mistake every time they open an email. “We’ve instilled a lot of cyber-fear in people, and it’s actually working against them,” Winterton notes. “We’ve scared people out of best practices, and I think that’s something that we as technologists need to be aware of.”