Forensic Accounting

Strengthen the Weak Links in Your Cybersecurity Plan

July 16, 2016
Emily Bradford, CPA, CFE

Cybercriminals never seem to give up, and for good reason: Their chances of success make it worthwhile. A recent poll entitled “IT Threats and Data Breaches” found that 94% of companies reported experiencing some form of “external threat.”

After spam, the most commonly reported cyberthreats were viruses, worms, spyware, phishing attacks and network intrusion. Although less common, corporate espionage was also reported by nearly one-fifth of survey respondents.

As a result, a new industry — employee cybersecurity training — has sprouted up. While it’s true that there will always be employees who will click on anything, it’s still critical for employers to try to educate them. Here’s a rundown of how to proceed.

Employee Cybersecurity Checklist

It’s important to test your staff regarding their knowledge of cybercrime, the possibility of breaches, and the role employees play in keeping the company and themselves safe. Your employees need to know that:

  • They should never run or install software on a work computer when a website they are visiting invites them to do so.
    Malicious emails may appear to be from a coworker or supervisor, urging or instructing them to take an action that is actually dangerous.
    It’s not okay to use the same passwords on multiple websites.
    Malware often originates from legitimate websites they regularly visit.

Cybersecurity experts maintain that educating staff members about online security procedures isn’t a “one and done” matter. Employees may be vigilant and avoid the trap in a “spear phishing” (that is, highly customized) attack for a while after being warned, but eventually they let down their guard. Some cybersecurity training services can regularly send your employees phony attacks to test their resistance, enabling you to give remedial instruction to employees who flunk.

The underlying strategy used by many cybercriminals is “social engineering.” In this case, that’s defined as the art of manipulating employees so they give up confidential information. Its effectiveness rests on the fact that it’s easier to find people who are too trusting than it is to hack into a system by purely technical means.

Common Tactics

Frequently used social engineering tactics include:

  • Impersonating a friend, coworker or supervisor
  • Asking for help
  • Informing you there’s a problem with your account that requires verification of personal information, and
  • Telling you that you’ve won something, but to receive the prize you must provide your bank information.

While some of these tactics might be transparent to you, it isn’t safe to assume that they will be that clear to all of your employees, including senior managers. In fact, higher level employees may be subject to more attacks because it’s assumed they have greater access to the information hackers are seeking.

Training employees in cybersecurity involves more than just feeding them defensive tactics; it also requires getting them to understand why it all matters. They need to know what is at stake and how a serious cyberattack could affect not only the organization, but also each individual employee. After all, the personal information of everyone on your payroll is in your database, including their Social Security numbers, birthdates, addresses and more.

Detecting a Breach

It’s not always obvious to employees when they have enabled a cyberattack, and thus they need to be trained to spot a breach if one occurs.

It’s also advisable to inform staff members what they need to do if they suspect there’s been a breach. For example, you might instruct them to unplug the computer from the network immediately and then contact the IT department. Even if the breach turns out to be a false alarm, commend the employee for acting quickly to address a perceived problem.

A Real Attack

Policies and procedures for dealing with a true cyberattack need to be laid out in advance. That should include a documented remediation plan that is regularly reviewed and updated.

It’s also a good idea to have procedures in place for informing employees when a breach has occurred, on a need-to-know basis. The same holds true for informing customers, if the breach could compromise the security of their data.

Keep in mind, it may be necessary to make a public announcement concerning the breach, as a way to control the story rather than have it leak out and be perceived as a scandal. A public relations professional can provide insight on the best ways to handle a breach.

Finally, look to employees not just as people to be trained, but also as a possible source of insights on how you can work together to implement the strongest defense possible. Make it a dialogue, not simply a series of lectures.

 

Questions? Contact: