What comes to mind when you hear the term “cyber security breach?”
Chances are your mental picture looks something like this: A hooded figure sits hunched over a computer terminal, feverishly typing long strings of code. Numbers, maps, and fingerprints float around on a giant screen. Then, alarms start blaring; a blue, locked padlock icon turns into a red, unlocked padlock icon; and the words “ACCESS GRANTED” appear in big, flashing letters. The hacker presses a button on her earpiece.
“I’m in,” she says.
This scene has played out pretty much the exact same way in hundreds of movies and television shows, and the stock photos that accompany news stories about cyber attacks would have you believe it’s the way hackers operate in real life, too. But this particular Hollywood trope is both overdone and dangerously inaccurate. Nine times out of 10, hackers succeed through human laziness, ignorance, or gullibility.
In a recent article for Harvard Business Review, Maarten Van Horenbeeck—a security manager who’s worked for Amazon, Microsoft, and Google—writes:
Cyber attackers don’t need to have advanced hacking skills to break into corporate networks; they just need to know how to trick people into opening attachments and clicking on links. Phishing attacks are the cause of 90% of all data breaches and security incidents, according to the latest Verizon Data Breach Investigations Report. Clearly, employees are the main gateway into the organization for attackers. As a result, they are also the first line of defense. The Verizon report found that employee notifications are the most common way organizations discover cyberattacks. So arming these “sentry” employees with information they need to identify attacks is a critical part of a company’s overall security program—and yet most companies fail at this.
Let’s return to that hacking scene. In real life, it would go like this: Ed in accounting gets an email from “Amazom.com” telling him he’s won a free gift card. He clicks on the link in the email, which sends him to a bogus Amazon login page. He enters his account name and password. Two weeks later, his computer freezes and a pop-up takes over his screen. The message in the pop-up informs him he has 72 hours to pay a $5,000 fine or his files will be lost forever.
Ironically, clichéd notions about hacking have made us more prone to getting hacked. Horenbeeck argues that employees like Ed fall for obvious phishing attacks because we’ve all been trained to think of cyber security as something far more complex and arcane than it really is. That includes the people who develop IT policies:
One of the big reasons security rules often don’t work is because they are so complex they drive people to take shortcuts that defeat their purpose. For example, password policies are so complicated and inconvenient that most employees just ignore them. Employees are told to change passwords frequently, but researchers have found that when people are required to come up with new passwords every three months they tend to do things like merely capitalizing the first letter or adding a number on the end to save time. This makes passwords increasingly easier to crack. Being creative gets exhausting when you have to do it repeatedly, yet most companies force this on employees for the sake of security.
The best defense against the constantly evolving threat of cyber criminals is a cyber security initiative as part of your workforce compliance program. Your employees provide the best security, or greatest vulnerability, for the private data you are responsible for safeguarding. Every member of your workforce needs to be aligned with the goals of maintaining privacy standards and protocols to protect private information.
Looking for guidance on improving your organization’s cyber security program? We recently covered the topic in depth in our 12/12 webinar, How to be Cyber Secure. If you missed the webinar or would like to review what our panelists discussed, you can watch the presentation any time, on demand, right here.