Solve the top cybersecurity risk by doing this one thing

Do you know what the top cybersecurity risk for many organizations is?top cybersecurity risk

If you said patching, vulnerability management, or email, you’d be wrong.

The top cybersecurity risk for many organizations is the human factor. 

Yet, for many organizations, working on the human factor and embedding cybersecurity into your people’s decision-making process is always left for “another day.”

 

Why should you build a culture of cybersecurity?

 

In cybersecurity, we’re used to being reactive. Cleaning up a malware infection, regaining control of an account that an employee gave away the credentials for, the list goes on.

A culture of cybersecurity is all about being proactive. Just like we’re used to doing in our safety culture.

What if employees were empowered to think cyber-secure before they act, never compromise cybersecurity for quick results, and apply cyber-secure practices in every task completed?

Would this proactive approach give you better confidence that your business is cyber-secure?

If you’re still on the fence, consider this:

Proofpoint, a cybersecurity and compliance company, found in its 2019 Human Factor report that 99% of the cyber attacks they analyzed required human interaction to execute.

That means that of the attacks they analyzed, only 1% didn’t require someone in the organization to take some action. Imagine if we could stop just some of these actions. Would that reduce our risk?

By encouraging employees to report unsafe cybersecurity practices, we can also reduce the risk of internal threats as well. In 2018, the numbers were climbing when it comes to internal threats, too: 54% more organizations recorded a growth of insider threats in 2018 (ENISA Threat Landscape Report 2018).

 

We’re not talking about just writing a policy and having the CEO promote it at the quarterly town hall. 

 

We’re talking about working to ensure everyone includes cybersecurity in every decision they make.

That includes everyone from the CEO, down to the front-line workers.

Encourage the cyber secure and cyber-safe behaviors you see and take action to implement corrective actions for the cyber-unsafe practices you also see.

 

Leadership modeling cybersecurity solidifies buy-in.

 

One common misconception is that cybersecurity is just for the “workers.” Unfortunately, everyone in an organization plays a collective role in the organizations’ cybersecurity.

Any effective culture stems from employee buy-in. However, to achieve that buy-in, employees need to feel that the desired outcome is believed and practiced by leaders in the organization.

Leaders are the ones who set tone in an organization. They model what is acceptable and valued in an organization. In other words, you need to practice what you preach. If leaders require employees to practice good cybersecurity behaviors, then leaders should as well.

Understanding this from the executive level will remove the barriers in promoting and enforcing the culture change and demonstrate that doing work in a cyber-secure manner is a priority from the top down.

 

Why should I start from the top? Why can’t I delegate building a culture of cybersecurity?

 

Many organizations delegate the task of cybersecurity to a team within IT. From there, that team will implement the “task” of increasing the organization’s awareness of cybersecurity through usually one yearly awareness training exercise.

The issue with this approach is that cybersecurity made into a compliance task. A task to quickly complete the yearly training module, and then it’s back to the old habits.

It shouldn’t be a surprise that cybersecurity is a process of continuous improvement, just like other organizational issues such as safety. Why not continuously monitor and promote good cybersecurity behaviors year-round, and reinforce those that are going to protect your employees and your company?

Not only that, but cybersecurity needs to be taken into account in all decisions, and coaching right from the top down. Having the executive level down to the front-line workers participating ensures no gaps are leaving you vulnerable.

 

How can I begin creating a culture of cybersecurity in my business?

 
Develop a system to encourage positive cybersecurity behaviors and correct negative behaviors

It can be built effectively by using the same approach as done with safety. Encourage the cyber secure and cyber-safe behaviors you see and discuss the practices and corrective actions that are not.

 

Include cybersecurity in performance reviews

Document how active employees are at practicing good cybersecurity behaviors in their daily work within their performance reviews and include KPIs to measure.

Different than the usual generic compliance training, this allows the employee and their leader to identify specific gaps and find training specific to those topics.

 

Provide mandatory cybersecurity training for new hires.

Not everyone that comes into your organization is going to have top-notch cybersecurity skills. Including cybersecurity in new-hire training can help ensure all employees start at a baseline. It is also the first place where you can educate on how to report suspicious behavior or incidents, and get help.

 

Implement cyber-safety moments

Do you have safety moments at the beginning of your meetings? Encourage the addition of cyber-safety moments.

What’s critical here is to provide a copious amount of cyber-safety moments for your employees to use. The more comfortable you make it for people, the higher the probability it will catch on. 

Plus, they’ll still be learning even if they didn’t come up with the cyber-safety moment.

What are some cyber-safety moments you could write?

  • Basic hygiene (Examples are: passwords, emails)
  • Examples of publicly-reported breaches or near-misses in your industry, or related industries
  • Success stories in avoiding breaches or cyber incidents due to the action of employees in your business reporting suspicious activities or practicing cyber-safe behaviors
 
Mentor top-level management, and business leaders 

As we’ve mentioned above, culture change starts with everyone living and breathing it, from the top down.

Educate management and leaders on good cybersecurity behaviors. Actively mentor them on implementing these behaviors in their daily work and mentoring their direct reports to do the same.

 

Summing it up

 

If you’re looking to start combating the top cybersecurity risk of the human factor in your organization, developing a culture of cybersecurity is one way to work towards it.

Have you developed a culture of cybersecurity in your business?

 

Interested In More?

Join our newsletter to learn more and get regular updates! Did we mention it's free?

CLICK HERE TO SIGN UP!

3 Mindset Shifts to Improve Your Cybersecurity

I’m sure it’s not surprising that cybersecurity isn’t a destination, but a process of continuous improvement that’s always evolving.

If cybersecurity is constantly evolving, then how could we possibly learn how to keep ourselves cyber secure?

By using a mindset shift

Shifting away from looking at cybersecurity as a task to be completed, or a problem to be solved and towards a continuous process of analyzing whatever situation we find ourselves in along the way and making the best cybersecurity choices.

Does that seem crazy?

Mindset shifts to improve your cybersecurity? Doesn’t make much sense, right?

Think about your personal safety in the real world. Do you put a lock on your front door and call yourself safe? Or do you analyze if its safe to cross the street, make that left turn in your car, or jump off that cliff into the lake below?

Some of this analyzing might be second nature or subconscious, sure. But you’re still analyzing each situation and making a call based on the safety risks you find.

The goal is to begin doing the same for cybersecurity and shift our mindset to thinking this way.

There are three mind shifts we need to make. What exactly are they? Lets look at them below:

 

Mind Shift #1: Stop thinking of cybersecurity as tools and methods

Most of the traditional cybersecurity advice includes what tools and methods you should be employing right now. Tools such as Antivirus or Multi-Factor Authentication and methods such as how to identify phishing emails are all important.

While these are good right now, at the end of the day they’re all solutions designed to reduce certain cyber risks. They’ll also change as technology or your situation changes.

How do you know how many tools and methods you need, and which ones are applicable to your situation? How do you know how much security is acceptable?

The first mind shift is to understand that cybersecurity tools and methods are solutions to reduce certain risks, such as flu shots are solutions to reduce your chances of getting the flu, or seat belts are a solution to reduce your chances of getting seriously hurt in a car accident.

 

Mind Shift #2: Start thinking of cybersecurity the same way we think of safety

You wouldn’t leave your home with the front door unlocked, leave your tax returns or personal documents in a public place or cross the street without looking to ensure its safe to do so. So why would you do that on the Internet?

Just as we evaluate each situation we find ourselves in to ensure we’re safe in the real world, we need to shift our perception of cybersecurity from the idea that we can’t “see” the risks, so we don’t need to worry about them to the idea that even though we can’t “see” any cyber risks, there are still some there and we need to be able to identify them for ourselves.

 

Mind Shift #3: Not everyone has the same risk or cybersecurity needs

While everyone has the potential to be a victim of cybercrime, the more we share, communicate and integrate our lives and businesses with the internet the more we open up ourselves to the risk of being caught up in cybercrime.

While for most of us the risk is manageable, there are many factors which can increase your risk level and make you a more appealing target to cybercriminals. Some of those factors include:

      • Wealth
      • Business Status
      • Publicity, Fame or large social media followings
      • Frequent travel
      • Internet-connected  Technologies or Internet of Things (IoT)
      • Business or domestic employees

The traditional cybersecurity advice intends to cast the widest net as possible and secure the most people possible. The goal of the third mind shift is for you to understand what your personal situation is, and what in your life might be exposing you to cybersecurity risk. Then you can employ the tools and to reduce the risk most applicable to you.

Of course, the list above isn’t exhaustive. It’s meant to get you thinking and considering all aspects of what could impact your cybersecurity, both online and offline.

So, how can we shift our mindset? Stay tuned for our next post!

Interested In More?

Join our newsletter to learn more and get regular updates! Did we mention it's free?

CLICK HERE TO SIGN UP!

Don’t Let Your Connected Devices Ruin Your Holidays

Ah, December.

It’s the time of year when we go out and buy our friends, family and even ourselves (You know you’ve done it!!) brand new computers, phones, and *insert gizmo here*.

Connected devices, wearables, drones, and so many other tech gadgets are all making the holidays much more fun.

However if not configured or set up correctly, these devices could put your personal security and privacy at risk.  They could even expose important personal and financial information.

Default credentials

Many of these devices are shipped with default usernames and passwords. This means that the default username and password combination is well-known by the manufacturer, and support people. It may even be written in documentation posted on the Internet.

Yikes. Because of this, it is important to change the default password and even the username, if you can.

If the device will allow you to use a passphrase, then even better! This will prevent anyone from being able to access your device if someone gets on your home network, or if it accidentally gets connected right to the internet.

If your device also connects to the cloud or an online component (i.e. you log into the manufacturers’ website to use it) its a good idea to change this password as well!

Default configurations

Normally the default configurations these devices are shipped in, are ready for you to use immediately. This means that any barrier to the shortest setup-and-go has been turned off.

Often most security features may be turned off, or be optional. It’s a good idea to acquaint yourself with all the features of your new device – security and otherwise. Acquainting yourself will help in understanding what the implications to your personal security and privacy are when each one is turned on and off. Then make the decision on which ones to turn on.

Some devices will also include administration portals or some advanced network administration tools. If you don’t have any intent to use these, turn them off. This will ensure an attacker can’t use them.

Connected directly to the Internet

Most connected devices out there aren’t mean to be connected directly to the Internet.

It’s easy to assume that when you plug the cable into your Internet router or connect the device to your home WiFi that it is only accessible to your home network.

Have you ever actually checked?

It’s important to understand what the internet needs are for your device and make sure that your router and network is configured properly. Any extra port forwarding or other settings are removed if not required.

If your device is accidentally left accessible on the Internet it could be easily accessed or hacked. This could expose important personal and financial information, be used as a gateway to access or hack other devices or computers in your home, or be used as a staging ground to hack others.

Two things that can also be overlooked here. First, ensure you’re using a strong passphrase or password on your wireless network. A weak one will only put your connected devices (and everything else on your network) at risk.

Second, do not put your devices on a guest or public WiFi network. Where devices are concerned, these networks can be just as bad as the internet.

Cloud connectivity

Devices now often include some type of cloud connection capabilities within them. This capability could be for extra features, or at times is required to use the device.

When you have a device that includes cloud connectivity, it’s important to understand what information is being sent to the cloud. This is to ensure you know what it’s being used for and how it’s being protected.

If your device is collecting personal, location or other sensitive information and it isn’t protected well, there is a risk it could be lost in a breach.

Start by reading any manuals that came with the device, the manufacturer’s website and Terms of Service and Privacy Policy documents, to start.

Ensure other computers and phones are secure

Do you connect to your device via an app on your phone, or from your computer?

If an attacker can compromise your other computers, they can take advantage of them to then attack your connected devices.

Update your connected devices

Check if the manufacturer of your device releases software or firmware updates. If they do, update the software and firmware as often as possible.

Software and firmware are only as good as the humans who create them. It’s easy for humans to accidentally introduce errors and security holes while writing software. Because of this, when manufacturers find these errors, they normally create an update to fix the issue. Updating the software allows you to get these fixes and plug any holes that an attacker could use.

It also will ensure you have the latest set of security features. Sometimes additional features can be released after you’ve purchased the device.

Wrapping it up

Connected devices are becoming much more popular. Not only are they fun, but they can make life much easier. However, they need to be used smartly. If they also collect personal or sensitive information or are left unsecured, they could be putting your online security and privacy at risk.

Photo by Alex Knight on Unsplash

Interested In More?

Join our newsletter to learn more and get regular updates! Did we mention it's free?

CLICK HERE TO SIGN UP!