Data breaches have got themselves a bit of an image problem in recent years. That may seem like a daft thing to say, so let me explain. When we think of the data breaches we have seen from organisations such as Ticketmaster, British Airways, Sky and TalkTalk to name but a few, we think of malicious intent and how the data was sought by outside hackers. Often these are the stories that make the headlines, we like the idea of cloaked assailant, sat in their hoody, hunched over a laptop surrounded by pizza boxes and empty energy drink cans! In more recent years we’ve even started to accept that these ‘individuals’ are now much more organised, professional if you will, working as groups on new malicious code, and perhaps even state-sponsored.
The business leaders of large corporations are widely criticised and held accountable for failing to protect their consumer’s data especially in the light of the vast IT and training budgets that are at their disposal. But the reality of the source of most data breaches puts a different perspective on the situation.
Everything I have said above is true, and does exist in the world of data breaches, but the undeniable truth is that over 90% of data breaches are caused by human error. To put that in perspective new research commissioned by Insurance company Gallagher found that 1.4 million businesses were hit by major attacks last year, costing £8.8bn. The average cost of attacks to the affected business was around £6400, but the impact of an attack could be far more serious than being forced to pay a few thousand pounds in related cost.
Companies invest many tens of thousands in the technology designed to keep their infrastructure from harm, protecting both customers and the business. But all of this can be undone by human error on several levels.
- Administrator errors – Cloud based systems such as Office365 don’t have multi-factor authorisation, or web based systems that are not patched result in vulnerabilities that can be exploited. Also, sometimes hardware such as firewalls can be configured incorrectly, or poor security settings on individual devices, can lead to loopholes that can be exploited.
- Developer mistakes – Developing software and building websites is a complex business. Poor code, or even worse poor testing can make it easy to leak data, causing accidental data breaches or making it easy for hackers to exploit weaknesses.
- Accidental data breaches – Losing data, whether unencrypted on a storage device such as a USB key, or a mislaid/stolen laptop is still a data breach. Equally so, accidentally sending data to the wrong person attached to an email or on a format that would contravene regulations such as the General Data Protection Regulation. Such breaches can still cause huge reputational damage and lead to fines of €20m or 4% of a company’s annual turnover.
Ultimately, organisations can have the best security tools in place, but the human element is the last mile and it’s the one that can make or break an organisation’s defences. the greatest security asset, if given the right help through effective security awareness. Whilst companies and cyber criminals often think staff are the weakest link, they are in fact the greatest security asset.
Business leaders need to acknowledge that cyber security is not an IT issue – it is a serious business risk. One approach to mitigate against this is to make the employees the first line of defence – the human firewall. Organisations that have successfully defended against cyber attacks have seen that building a strong cyber security awareness culture is key.
This is where education becomes most important and needs to happen at every level of a business: Employees are one of the biggest cyber security vulnerabilities and considered a “soft target” by criminals, due to their lack of understanding of the risks faced. Instead of using highly technical and time-consuming hacking methods to breach a company’s systems, cyber criminals often prefer to target the employees themselves in order to get access to information and systems.
To combat this, cyber security awareness training is a cost effective and proven way of reinforcing a company’s resilience to cyber attacks. There are many types of training available, but the ideal is to combine engaging and interactive cyber security awareness training content with a software solution that works hand in hand with a company’s IT infrastructure. In essence, a solution that analyses alarm messages from security systems and adapts training simulations based on those alarms – keeping cyber security training inline with the attacks that company experiences. An example would be running simulated phishing attacks to train employees based on how they respond to the simulation..
All organisations need to elevate the importance of cyber security awareness amongst their employees and arm employees at every level with knowledge, tools and support that help them become the best line of defence for the business. All the cyber security technology in the world, cannot get you around that reality.
Stephen Burke – CEO and Co-Founder Cyber Risk Aware
Stephen founded Cyber Risk Aware in 2016 in Ireland, with support from Enterprise Ireland as it was viewed as a high-potential start up. After a career spanning over 20 years in technology and security specialising as a CISO he found that most if not all security incidents are caused by human error at all levels in an organisation, no matter how good the technical defences were. Therefore, Stephen founded Cyber Risk aware with the mission of making a genuine difference and help companies and users at home from being victims of cybercrime.
Specialities: Security Education and Awareness Programs, Cyber Insurance, Network Security, Data Governance and Security, Malware Investigator and Incident Response, Risk Management, Security Behavior Analytics. Security Architecture, Heuristic Security, Security Audit, Digital Forensics, Penetration Testing, Encryption, Wireless security, Security management, , Database as a Service, Internal Cloud Design, SAN Design, RDBMS Virtualisation and Consolidation, Disaster Recovery
About Cyber Risk Aware
Operating out of London, Dublin, Manchester and Donegal, Cyber Risk Aware is the only company in the world to offer real time cyber security awareness training. Its platform leads the industry helping companies worldwide assess the level of human cyber risk in their business, by running simulated phishing attacks and cyber knowledge assessments to see where the risks lie in their business (user, department, office, country).
Cyber Risk Aware also provides highly engaging and interactive CyberSecurity Awareness Training content and enterprise risk and compliance reporting so companies can demonstrate and meet their legal and regulatory compliance requirements in protecting proprietary and personal data, systems and finances. Cyber Risk Aware is the first company in the world to achieve GCHQ accredited security awareness training by the Chartered Institute of Information Security.
Thousands of companies use Cyber Risk Aware to provide a front line of defence against cyber criminals, significantly reducing the material risk of employee error via phishing, ransomware, CEO Fraud and Malware attacks.