Managing Cyber Risk: Shore Up Your Weakest Link with Awareness Training!

Cyber risk management is a daunting proposition with many elements. But, as cybersecurity experts from Carnegie Mellon University (CMU) have pointed out, organizational culture tops the list—and ongoing security awareness training is critical to a cyber-aware culture.[1] After all, protection is only as good as your organization’s weakest link, and that means employees: an IBM/Ponemon Institute study found that about 90% of breaches are initiated by human error.[2]

Your cyber risk management policies can have you locking down systems, inspecting data packets and using security controls to identify malware. But if just one employee hands over their credentials or clicks a link that installs spyware, your entire network can be compromised. That’s why enterprise-wide cybersecurity awareness is so crucial. And, because cyber attackers’ techniques hackers are constantly shifting, employee awareness training is a never-ending story. As the CMU post notes, “ongoing training is required to maintain expertise and deal with new risks.”

The following are five primary ways threat actors are attacking your enterprise, probably as you read this, each with suggestions for how your organization can ratchet up its relevant cyber risk management—with emphasis on employee awareness training.

1. Awareness Training is Key to Phishing Defense

Nowhere is the expression “people are the weakest link” more apparent than in phishing attacks. Cyberthieves use deceptive methods to trick workers—including C-level executives—into clicking links that compromise credentials and sensitive data. The most common methods involve “spoofing” e-mails to look authentic, including graphics and text. And once you enter your personally identifiable information (PII) or login credentials at a fake site, the hackers and attackers have access to your device, and perhaps the network. Today, cyber criminals are finding more success than usual by preying on people’s anxiety over the coronavirus pandemic.

Here are some ways to combat phishing attacks, including approaches you should be training employees on:

• Examine text and graphics closely. Look for oddities or errors.
• Hover your mouse over a link to see if it’s authentic and it matches.
• View the return path on e-mails to determine whether it’s a match with the person or company sending the message.
• Use software that blacklists misspelled and fake URLs. For example: com or Minecast.com.
• Customize stationery and use unique identifiers to make spoofing more difficult.
• Use multifactor authentication and require phone approvals for larger transactions and to avoid CEO fraud.
• Focus on employee awareness training, including top executives.

2. Defending Against Malware Attacks

Today’s networks have no real borders, and viruses, trojans and other malicious payloads are more treacherous and spread faster. These include macro viruses, polymorphic viruses, file infectors, trojans, worms, logic bombs, spyware and ransomware. The latter is particularly dangerous because it can encrypt files and shut down your organization’s IT systems for hours or days—or prevent you from accessing business critical files and data, unless you pay a hefty ransom—sometimes into the millions of dollars.

To help combat malware and ransomware:

• Use antivirus and malware detection software on every device.
• Ensure that all endpoints, including IoT devices, are protected.
• Train employees not to open attachments unless absolutely certain of their safe origin.
• Back up all files regularly. The ability to restore systems to a very recent state can render a ransomware attack ineffective.

3. Protecting Mobile Devices

Laptops, smartphones and tablets are all indispensable tools for the enterprise. But they come with risks. Lacking proper controls, employees might download rogue applications that spy and mine data, or they might send critical and sensitive data to outsiders, either intentionally or inadvertently. Effective cyber risk management addresses this issue through a device management framework.

To improve mobile device security:

• Establish clear policies to address the use of devices and the apps employees may use.
• Conduct employee awareness training about safe use, including about public WiFi and about leaving mobile device unattended.
• Use a mobile device management (MDM) solution to provide visibility into users’ devices and let security professionals manage their functions.
• Establish clear rules and controls for application downloads and what data (GPS, voice, image, etc.) can be sent and received.

4. Safeguard Against Application Attacks 

Vulnerabilities often reside within application software, and cyber criminals exploit them. The Open Web Application Security Project (OWASP) keeps a top 10 list of web application security risks, which can give you clear idea of how risky application security is and what problems can occur.

To improve security of home-grown applications:

• Establish realistic organizational goals and a framework that supports sound coding practices.
• Train developers so they can stay informed about vulnerabilities and common coding mistakes.
• Identify and prioritize the riskiest flaws.
• Use passive and dynamic application scanning tools to spot and rectify coding errors.
• Introduce policies and processes that reward good coding practices.
• Pay attention to your organization’s use of open-source code libraries and repositories. These can improve speed, quality and security—but may also introduces new risks.
• Use metrics to measure fix rates.

5. Prevent Eavesdropping 

Hackers and attackers often rely on insecure networks to intercept traffic and worm their way through unprotected devices into your corporate network. An eavesdropper can steal passwords, account information, credit card data and more. Your enterprise network may be vulnerable, but a bigger risk is public Wi-Fi networks, including at coffee shops and hotels.[3] Passive eavesdroppers lurk on unsecured networks and intercept data, while active eavesdroppers disguise themselves as system friendly users through probing and tampering techniques.

To combat eavesdropping:

• Restrict the use of laptops, smartphone and other devices on open Wi-Fi networks.
• Encrypt all sensitive documents and e-mails at rest and in motion.
• Require a virtual private network (VPN) for company business. It establishes a secure connection between two devices.
• Use strong authentication techniques, including multifactor authentication and single sign on (SSO) to reduce the risk of compromised credentials.
• Offer employee awareness training about data security best practices when working in public spaces.

The Bottom Line

Cyber-risks are growing—and cyber risk management is an imperative. All the protections in the world can come crashing down if an employee succumbs to a phishing e-mail or uses an unsecured Wi-Fi network. Cyber resilience hinges on a combination of solutions and processes, with a special emphasis on cyber employee awareness training..

[1] “7 Considerations for Cyber Risk Management,” Carnegie Mellon University

[2] “2017 Cost of Data Breach Study,” Ponemon Institute

[3] “Protecting Against Wi-Fi Eavesdropping,” TechGenix