Sun Tzu, once stated that: “The supreme art of war is to subdue the enemy without fighting.” and two and a half thousand years later his rhetoric stands the test of time, as today we are seeing this ancient ideal applied in the most modern of battlegrounds: the fight against cyber-crime.
In recent years, more and more firms are realising the exponential threat of a data breach within their organisation. The average cyber-attack costs a business over $1mil, a figure that has made organisations sit up and take note of the true ramifications of a malicious attack. However, businesses also need prepare for data breaches that can occur as a result of employees. While malicious attacks make up a significant portion of incidents, breaches as a result of employees and the extended enterprise make up 65% of all security incidents in the UK.
To tackle both the malicious and accidental threat, organisations should have preventative technology in place, but the real key to mitigating the damage of cyber-crime is to educate the workforce on the various dangers they pose to their firm, be it accidentally sharing sensitive data, or Ransomware attacks.
‘Know Thy Enemy’
As a starting point, employees should have a good understanding of the data that is stored within the company and where they come into contact with sensitive information in their own role. A well-trained employee should be able to answer the three data-security questions, ‘What’, ‘Where’ and ‘Why’:
- What data is of value to a potential hacker?
- Where is this valuable data stored?
- Why is this data so valuable, and why is it a potential target?
If an employee is capable of answering these three questions, they will be much better equipped to resist any attempts by hackers to coerce this information. They will likely question any request for this particular data, would be suspicious of anyone attempting to access that part of the data system, and will understand the potential value of this data, and the need for its protection. Not only is this considered the more effective of the two aspects of cyber-security training, it is also regarded as easier to teach employees what they need to protect, than to teach them who they need to protect it from.
‘Once More Unto the Breach, Dear Friends, Once More’
The ways in which a breach may occur, and the consequent warning signs may vary from industry to industry, but there are a few frequently occurring symptoms. The average worker may not notice a significant rise in outbound traffic, but if trained correctly they may question the resulting slower internet speeds. Furthermore, a trained employee would know to be suspicious if they were suddenly locked out of their user accounts, or sent an email asking for financial details. A trained eye may recognize these warning signs, but to an average employee with no training in cyber security, they may assume this is the result of network maintenance, or their frustrating colleague Derrick who always moves files around the system. However, recognising the breach is only part of the battle.
The most important part in responding to a breach is establishing a clear line of communication to raise the alarm. It may be that employees will be encouraged to report such threats to a supervisor with specialist training in differentiating real breaches from accidents or false alarms. Alternatively, employees may be instructed to simply pass on warning about any possible breach directly to the IT department. The chain may vary from firm to firm – but what is essential is that a solid protocol is established and employees are educated on what to do in preparation for such a threat.
‘Knowing The Rules of Engagement’
Most data losses are the result of accidental data leaks, but employees can be trained easily to reduce this threat drastically. When an internal breach occurs, employees are reluctant to blow the whistle on themselves, often hiding the issue whilst they attempt to rectify it. In addition, those who unknowingly facilitate an attack (be it through phishing, malware or even social media), are usually reluctant to raise the alarm in fear of punishment.
This is arguably one of the most common – and indeed, problematic – issues surrounding data breach mitigation. As any cyber security specialist can testify; the longer it takes to identify a threat, the more damage that threat is capable of doing. Time is of the essence in dealing with breaches, and if an employee is unwilling to come forward until the threat is discovered, significant damage may have already been done.
To combat this, firms must reassure workers that they will not face consequences for reporting accidental data loss and breaches. Firms must hold their workforce to a certain standard of quality, but at the same time one must remember that the highest priority is encouraging employees to come forward, allowing the firm to address the breach itself as quickly as possible.
‘Sometimes, You Have to Fight a Battle More Than Once to Win It’
Bear in mind that whilst training your workforce to a higher standard of cyber security and adopting a supportive breach-reporting environment will undoubtedly have a significant impact on the strength of your cyber security, over time the standard of your workforce’s defence will degrade. This is mainly as a result of changes in the operation of the firm, and also in part due to human nature. Firms must remember that changes to data storage, or new protocols on data sharing will require a refresher course on the ‘three questions’, and be proactive about training staff about new emerging tech which may present a new security risk that your workforce may not be aware of.
Furthermore, firms must remember that humans are inherently fallible, and that as time goes on without any problems, many workers will lose their caution; a well-documented fallacy known as ‘Normalcy Bias’. In addition to this, canny workers will often find workarounds to their training in the pursuit of speed, ease and efficiency, therefore negating the effectiveness of that layer of security. For all these reasons, it is essential that a firm recognizes that training against cybersecurity is a continuous process, with training sessions occurring frequently to make sure that all staff are up to date.
‘Sic Vis Pacem, Para Bellum’
Staggeringly, although 70% of medium/large UK firms reported a significant data breach during 2017, less than 50% have trained their workforce in adapting to this new age threat. Clearly the need for a cyber-threat educated workforce is greater than ever, although businesses must remember that this is only one facet of a strong cyber defence. A truly strong cyber defense should incorporate tiered security, with multiple layers of defenses such as; a firewall, multi-factor authentication, an email protection or redaction service, and of course, a well-educated workforce. As the ever prescient Sun Tzu surmised, “The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him.”