You might think your run-of-the-mill privacy and cybersecurity training is sufficient. You might think that by “checking the box” on generic training you have fulfilled your duty and obligation to mitigate data privacy and cybersecurity attacks. You might think that general malware protection adequately secures your company’s data and you can move on with your everyday business efforts without concern.
Human error continues to be the number one driver of data breaches. Over 85% of all data breaches are caused by an employee mistake. (Source: Psychology of Human Error by Stanford University Professor Jeff Hancock and Tessian, a cybersecurity firm.)
“Human error” can take many forms from the use of stolen credentials and misuse of company information to phishing or malware links. Cybercriminals and hackers have developed advanced and creative tactics in efforts to access and steal confidential information. Malware attacks, for example, are attacks where hackers attempt to infiltrate networks, individual computers, and mobile devices with malicious software. An unassuming click to open a link or download software is all it takes to enable a malware attack. Social engineering tactics are often used to get employees to send bank account information, provide usernames and passwords, among other confidential information. Psychological manipulation is the bread and butter of social engineering. Such efforts intentionally target human interactions by tricking persons into thinking they are receiving an email from a trusted source, perhaps a friend or a business partner. Email content may consist of an urgent request, portray legitimate branding to make the email appear trustworthy, request your “verification” of information, or pose as a boss or coworker.
Employees need to be trained and continuously reminded to be mindful when conducting business. Technology can only take us so far in protecting businesses and securing information from cybersecurity attacks, especially with respect to social engineering. In the hustle and bustle of everyday business, it is easy to flit from email to email, shooting off quick responses without even glancing at the subject line, or the name or email address of the sender. Some of the simplest requests from a seemingly innocuous email can lead to the leak of very valuable information. Do you recognize the sender’s email address? Are there spelling mistakes in the content of the email? Is the company or individual name familiar to you?
Cybersecurity attacks can be incredibly costly, causing financial, mental, and emotional heartache from the click of a button. Aside from financial ramifications, data breaches and cybersecurity attacks may reflect negatively on your business’s reputation, cause you to lose clients or customers, and may even lead to significant litigation proceedings and hefty government fines from breach of regulatory violations.
The best approach in managing privacy and cybersecurity training is a proactive one. A primary goal should be to create a smarter, more attentive security culture within your business.
- Create a culture of awareness and attention to privacy and cybersecurity matters.Establish clear guidelines, expectations, and training for your employees regarding data security and privacy. Keep privacy and cybersecurity risks and related knowledge top of mind by providing bi-monthly or quarterly training or cyberattack campaigns to create a smarter, attentive security culture.
- Train employees to recognize and report (internally) social engineering tactics, phishing emails, and other scams.
- Ensure that employees properly manage passwords.
- Enable multifactor authentication
- Train employees on the importance of specific categories of data (like Social Security numbers and credit card information).
- Emphasize that cybersecurity is everyone’s responsibility.
Companies must stress the importance of privacy and cybersecurity to every employee in the company. It cannot be the sole responsibility of the IT department to keep company data secure. Even the best IT department practices can be undermined when employees fail to follow best practices regarding data management and cybersecurity risks. Employees must be trained to understand the importance of data management and cybersecurity risks to the company. Disclosing confidential and valuable information could trigger data breach notifications procedures under state and federal law and cause severe financial loss, and incalculable reputation damage to a company. Every employee needs to regard data management and cybersecurity risks as a priority. And, yes, employees should be held accountable for failures to comply with applicable policies and training.
- Develop an Incident Response Team (IRT). It’s a matter of when, not if.
Be prepared. Develop an IRT if you don’t already have one. In today’s day and age where technology rules, a cyberattack is a matter of when, not if. Cybercriminals are persistent in their efforts: your time may be coming. It is advantageous to run simulations and train employees on how to handle a breach or some other cyberattack when it happens, for example:
- Alert IRT personnel.
- Confirm the breach and determine what information was compromised.
- Ascertain the source of the breach and contain it from further infiltration.
- Assess the severity of the damage.
- Prepare and begin the notification process (to parties subject to the breach), if applicable to the type of data that was comprised.
- Take actions to prevent a reoccurrence of the same incident by implementing more robust employee training, as well as technological security measures.
The longer it takes to respond to a cyberattack, the more costly it becomes.
Taft’s Privacy and Data Security attorneys can assist in answering any questions or advising on how to manage, train, and mitigate risks associated with privacy, data management, and cybersecurity, as well as what to do after a breach or other cyberattack occurs. Stay tuned to our Taft Privacy and Data Security Insights or download our app for more news and information.