By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
- According to Trend Micro, 91% of cyberattacks start with a targeted “spear-phishing” email. [1]
- The FBI found that from October 2013 until February of 2016, roughly two and a half years, that $2.3 billion was stolen from 17,624 corporate victims in business email compromise scams that convince individuals with wire transfer authority to send money to a fraudster. [2]
- According to IBM, security awareness training is the 3rd most effective measure to contain costs should a breach occur. [3]
The end user continues to represent an access point for attackers. Spam filters, firewalls, anti-virus and other technological defenses can and do help, but they are far from perfect. Hackers and scammers are constantly creating attack vectors that beat security to get access to organizational staff and systems. Every employee should be aware of the technological limitations and the potential costs of a security event to an organization.
Most employees are unaware of the technological limitations of cybersecurity, and proceed under belief that cybersecurity is not their job. By the time an email gets to their inbox, it must be safe, and if it isn’t, it’s someone else’s fault. Likewise, if a website isn’t blocked, it must be safe. These are, of course, dangerous assumptions to make.
A good security awareness training should have two goals:
- Inform staff of the threats that they are most likely to encounter
- Motivate them to stay vigilant for attacks
One effective way to motivate staff is to personalize the costs of the breach, which may include their own identity theft, lost jobs, and fractured friendships. Staff must feel personally invested in your organizational cybersecurity. Everyone plays a role, and the more staff that consider themselves part of your security apparatus, the less likely you are to suffer a breach.
Actionable Steps
- In policy, require that all new staff obtain a security awareness training.
- Perform security awareness training for all staff periodically.
- Mount simulated email-based attacks against employees to assess their abilities and provide continuous training.
- Periodically email security updates to ensure staff remain aware of the latest threats.
- Reinforce the importance of vigilance at company meetings.
The content in this article covers just one aspect that small to mid-size businesses need to address for Cybersecurity.
Interested in learning more about Keiter’s cybersecurity services? Contact us. Our Cybersecurity team can provide you with critical insight into your company’s cybersecurity footprint.
Additional Cybersecurity Resources:
- Cybersecurity: Know Who Has Access to Your Systems and Deactivate Access Timely
- Cybersecurity: The Importance of Securing your Cyber-Doors and Windows
- Good Cybersecurity Starts with Governance
- Cybersecurity: Backup. Backup. Backup.
- Cybersecurity: Cyber Insurance
- Cybersecurity: So You Think You Have a Breach
- Infosecstack: Collection of free cybersecurity resources
- Cybersecurity Desktop Guide
About the Author
Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.
More Insights from Christopher MoschellaThe information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.
