If you operate a business that uses a computer, you need a cybersecurity awareness program. That is the single, most valuable piece of cybersecurity advice that I have to offer. As a matter of fact, in all my nearly 20 years working as a cybersecurity professional, I’ve not seen a single business or industry impermeable to cyber attacks. Not one. According to Gartner, 89% of all businesses, large or small, will experience a cyberattack this year. And 91% of all cyber attacks today target humans. Creating a cybersecurity awareness program for your business is not an option.
A Case Study – Sony Hack
Let’s support that statement with a case study – one of my favorites. On November 24, 2014, Sony was big-time hacked by a cyber group called “Guardians of Peace.” In fact, Sony was hacked long before that date – important to note if you are trying to prevent attacks. Sony is a textbook case study because of the many areas of business impacted – areas that can affect your business as well. Let’s examine a few incident highlights:
• Hackers stole 100 terabytes of data. (Think: all the data stored in the Library of Congress times 10.)
• Confidential emails and human resource data were leaked to the public. Do you remember all the embarrassingly horrifying things you have said in an email you intended to be private? Did you think what you said was in the past? Do you even want to remember? What would happen if your employees suddenly knew each others (and your) salary?
• Their data and systems were placed on lockdown for days. Both directly by the attackers and because the company was trying to protect the business from further harm, the computers, networks, and phone systems were inaccessible for weeks. Employees were sent home. How long can your business survive without it’s systems and data? Without its staff? Do you have customer information stored outside of your company?
• They were sued by their employees for breach of privacy. Twice. Legal ramifications of cyber breaches are far-reaching and still being explored. Many center around negligence on the part of the business.
• They lost intellectual property. They lost the core of their business – their product. Movies were leaked before their planned release, reducing Sony’s profits and ability to recover production costs. Most companies have some form of IP, and for many, losing it would mean shutting their doors.
• The breach cost Sony hundreds of millions of dollars. Incident clean-up is extremely expensive. It requires expertise that not even Sony had on hand. What’s more, they suffered the the cost of intangibles, like loss of productivity, business and reputation.
Sony’s breach reveals both the far reaching effects of a cyberattack, and why you need an awareness program for two key strategic reasons:
1. To teach your employees cybersecurity best practices. In this case, password safety. Sony’s management team routinely maintained lists of username and passwords in a spreadsheet labeled ‘Passwords.’ (Insert eye-roll emojii here) They regularly sent and stored passwords in unencrypted emails.
2. Train your executives on the dangers of neglecting cybersecurity. Start with them. Teach them in terms of risk (include reputational risk) and cost – a language they understand. Use case study incidents, like the one conveniently bulleted in the previous section to demonstrate risk. We wrote the previous section so you can literally use it. Keep saying the word “risk” until they start to use it to describe security exposure. Don’t share a single incident without using that word! Trust me, I’ve been doing this for a very long time.
A Note About Compliance
By now you will have noticed that I’ve not even mentioned compliance. Compliance is the single-most-often-cited reason why small and medium-sized businesses implement an awareness program. Compliance is probably why you are bothering to read this far. It used to be the main reason large corporations with sufficient funding implemented it, but not these days. Compliance is critical, especially if you are in a heavily regulated industry like healthcare, finance, or the public-sector. (Not one of these? Do you accept credit-cards? There are regulations that affect your business, and they include security awareness for your staff).
So, why not mention it first? For one simple reason: Non-compliance costs less to remedy than experiencing a cybersecurity attack. It makes little strategic sense to implement security awareness that only works for compliance, when for the same cost and level of effort, you can reduce the risk of a cyber breach that can destroy both your profits and your business.
Compliance is necessary and is a goal of implementing security awareness, but it should not and need not be the focus. In a future blog, we will provide in-depth information on meeting the awareness portion of compliance for your business. For now, keep focus on the first step to implementing an awareness program that reduces risk to your business – Getting Started. Don’t worry, we will help you make sure it meets compliance checkboxes. Who are we? We are a security awareness consulting business passionately devoted to addressing the ever-growing, human-risk side of cybersecurity. More about us here.
Start small and start with the executives, leadership team, and founders. We’ve created a tool to guide you – a list of talking points that can be used to brief them on the need for an awareness program. Don’t make it a separate meeting. Keep it light, just add it to the regularly-scheduled agenda and devote 5-10 minutes consistently to the mention of cybersecurity events and potential areas of risk to your business. Encourage them to agree to a simple email or newsletter piece focused on teaching staff one simple cyber best-practice, for example: passwords should not be stored in a way that is easy for someone to access and refer them to the related company policy. We will supply you with a steady stream of cybersecurity awareness-related news incidents and articles – the hackers are busy keeping us busy. Sign up for our monthly newsletter and best of luck. If you’d like a consult, we are here to help.