Based on the US Federal Bureau of Investigation’s 2021 Internet Crime Report, there were 847,376 cybersecurity complaints last year, representing almost $7 billion in business losses. That number is an increase from 301,580 claims representing $1.4 billion in losses in 2017. All this even though businesses and governments spend billions of dollars to fight these attacks. Microsoft alone spends about $2 billion annually to address cybersecurity. Why then, despite the big brains and big budgets of the most stalwart organizations, are businesses continuing to fall prey to these breaches? Unfortunately, many believe it is for several reasons.
Cybersecurity may still not yet be a high level C-Suite or board-level concern. So the question is posed: Is cyber security a standing agenda item in your board meetings? Do board members fully understand your organization’s cybersecurity risks and the steps you are taking to minimize those risks? Are board members themselves aware of how their own actions—or inactions—could be putting data and systems at risk? In the year 2022 - sadly, the answers to these questions at many organizations are “no,” “no,” and “no.”
More organizations today, though, are recognizing the impact of data breaches, the potential damage to customer trust and heavy financial losses forcing boards to take notice. Some have ramped up reporting requirements and created new job roles like DPO—Data Protection Officer—reporting directly to the CEO or even the board.
Many companies still leave security awareness and training to the IT department. Most security awareness leaders are IT pros that thoroughly understand the systems they are responsible for and the risks those systems face. What they don’t so readily understand, though, is how to convey their messages in a way that will resonate with non-security people. Security experts of any kind are stymied by the fact that they cannot unknow what they know. Consequently, they cannot fully understand what others do not know, or how to best convey information in a way that is understandable, meaningful, and impactful. Effective communication requires techniques that those in marketing and communication roles may be better positioned to deliver, yet they are not often called upon as collaborators in this strategy. Security awareness needs to be a company-wide endeavor, not just the sole responsibility of the IT department.
The cyber criminals keep getting better and more sophisticated. As technology becomes more complex and companies invest in the latest controls to protect systems and data, cybercriminals continue to devise new ways of subverting those defenses. But criminals and state-sponsored hackers are not just focused on technology. In fact, they are far more focused on people. Why? Because as security technologies make it harder and harder to hack into systems, cybercriminals increasingly look for another way in. And that other way usually involves tricking someone into letting them in.
“Social engineering” is a term used to refer to techniques used by cybercriminals to manipulate people into providing confidential information or performing harmful actions like clicking on bogus links in a text or email: That is phishing pure and simple. Cybercriminals know that people represent the greatest vulnerability within organizations precisely because they are susceptible to deception, influence, and extreme disinformation.
Companies often let their guard down. As companies invest heavily in technology, communication, and training to reduce cybersecurity risk and as they begin seeing the positive impact of those efforts, they may let their guard down—not paying as much attention to the risks, not communicating as often, or failing to ensure that new employees (or employees in new positions) are receiving the information and training they need.
A few years ago, I heard a cyber security expert proclaim at a symposium, “if we can only eliminate the people, everything would be perfect.” Well, unfortunately cyber was and contuse to be developed for the convenience of people, yet they currently pose a real threat and vulnerability. Cyber-crooks only need to be successful once to achieve their goals, but companies need to be successful 100% of the time to avoid being compromised. Consider this: security is subject to the same natural laws that govern the rest of the universe. Entropy is real, as we move from order to chaos. And that means your organization is always either building security strength or allowing atrophy. Training is a pain to many, but it very necessary.
There still is a lack of a strong security culture in many companies and businesses. Security culture is the ideas, customs and social behaviors that impact an organization’s security. A strong security culture is a must-have to combat the continuous threats that all companies are subject to. Employees’ security awareness, behaviors and the organization’s culture must be assessed regularly. Policies and training programs should be consistently updated to address the changing threat landscape. Failure to do so puts companies at risk of data theft, business interruption, or falling victim to ransomware scams.
The sad, yet brutal truth is that data breaches are not going to stop. And because they are not going to cease and desist, companies have to build and sustain a strong security culture to remain continuously attuned to a constantly changing threat landscape and to minimize risks.
Honestly there will always be risk and no organization will be entirely free from security threats. But that does not mean they should lower efforts to improve and evaluate processes, communicate with and train everyone in their organization, and remain vigilant. This is a process, not an event.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
 lack of order or predictability; gradual decline into disorder. "a marketplace where entropy reigns supreme"