Three Effective Cybersecurity Rules To Live By
By Zack Schuler
Think about all the ways you keep yourself safe every day: locking the door when you leave your home, locking your car in a busy parking lot, staying away from dangerous parts of town. When you actually take a moment to reflect on all these behaviors, it’s clear that you spend a whole lot of your time trying to avoid and mitigate the huge array of threats out there.
Now think about everything you do to address cyberthreats – does the list suddenly shrink? At a time when our lives are becoming more digitized and connected all the time, it’s dangerous to treat cybersecurity as an afterthought. This is particularly true for companies, which are constantly targeted by cybercriminals because they often possess huge amounts of sensitive consumer information, as well as other valuable resources that can be stolen or held hostage. Companies are vulnerable to many different types of digital infiltration.
These are all reasons to treat cybersecurity with the same level of focus and seriousness as all other types of security. With that in mind, let’s take a look at some of the daily rules that cybersecurity professionals live by and consider how they can be applied to your company.
1. Know Who You’re Communicating With
In 2018, business email compromise (BEC) accounted for just under $1.3 billion in losses — an amount that surged to almost $1.8 billion in 2019 and continues to increase in 2020. Hackers carry out BEC schemes by tricking employees into granting them access to secure systems, disclosing sensitive information or transferring money by posing as an executive leader in the company.
Email is particularly tricky because it’s anonymous, and addresses can be spoofed. This is why you have to be vigilant for signs that a message is fraudulent, such as email headers that contain random characters in unknown recipient email addresses or domain names that don’t link up to a legitimate company. Other threats that rely on fake communications are becoming more sophisticated all the time. This is why companies need to revamp their policies when it comes to decisions about transferring sensitive information or money, from confirming in person whenever possible to implementing multifactor authentication. One simple rule to live by: Always know who’s on the other end of that email or phone call before you disclose or send anything of value.
2. Focus On Behavioral Change
The scourge of any cybersecurity platform is what I call check-the-box training exercises. The vast majority of training programs — from HR to cybersecurity — don’t even attempt to capture employees’ attention and secure long-term behavioral change. This is because companies often implement training schemes to give employees and outsiders the impression that they’re addressing some serious problem (sexual harassment or discrimination, for example), but they aren’t actually focused on effectiveness. When it comes to cybersecurity awareness, there are many strategies companies can deploy to facilitate long-term behavioral change, such as engaging, narrative-driven cybersecurity content (as opposed to dry and tedious information dumps). There’s substantial evidence that narratives are powerful learning tools, and companies can make them even more relevant by discussing the implications of real-life cyberattacks.
The key to effective cybersecurity training is getting buy-in at every level of your company. For example, our company offers all employees friends and family use rights. By providing training that can be used by an employee to protect their family, you will protect your business because it is now in the employees’ interest.
3. Craft The Right Message
What most people think they know about cybersecurity comes from popular culture and a long list of stubborn cybersecurity myths. For example, we often think of hackers as black-clad renegades hiding away in some shady den that looks like Neo’s apartment in The Matrix and breaking into secure systems from thousands of miles away. But this caricature completely ignores the prevalence of social engineering — the most common form of cyberattack, which requires hackers to deceive and manipulate human beings (BEC is a type of social engineering).
If employees think cybersecurity is just a never-ending battle between IT professionals and hackers that takes place on digital battlefields that they’ll never understand, they won’t know that they’re capable of stopping cyberattacks themselves. You don’t have to be a tech expert to learn how to view suspicious email headers, use a VPN whenever you’re on public Wi-Fi, keep your apps and operating systems updated, and so on.
Security professionals need to educate users to be more critical of the information they share and receive than ever before. This is what cybersecurity training is all about: empowering employees to become cybersecurity defenders themselves instead of relying on someone else to do the job. The best-kept secret in the cybersecurity world is the fact that anyone is capable of spotting and preventing cyberattacks — all it takes is the right training.
And once employees have learned how to protect themselves, their families and their companies, cybersecurity will eventually become second nature — just like locking the door when you leave your home.