As a Security consultant, I marvel at some of the excuses that business owners offer when I suggest they institute a Security Awareness training program for their staff that use computers. I hear some management use the excuse “Oh, my people know better than to fall for that!” Recent studies plus our own professional experience prove that to be false. 95% of all Ransomware events in the U.S. began because an employee opened an infected e-mail or instant message. A Wombat Security Technologies study recently revealed that nearly one third of employees don’t know what phishing is and the concept of Ransomware is an unknown concept to nearly two-thirds of workers.
Other managers offer the excuse “We just don’t have the budget for that!”. I recently sat with the IT Director of a multi-million dollar company that had 40 office employees and he couldn’t find budget room for $2 per month for each employee to be trained regularly on Security Awareness for their organization. That’s about $960 for the entire year to improve their security awareness to protect the company IT systems for his entire office staff! They probably pay more than that just to mow their lawn and trim the bushes outside of the office. A single ransomware event will probably cost that organization more than 50 times that when it happens!
Ransomware and related e-mail borne malware that can take out an entire server in minutes can be a very expensive consequence of an employee falling victim to a socially engineered e-mail who’s tricked into opening an infected email that then takes down the network. While ransomware email exploits have dropped in recent months, the surge in crypto-malware has more than offset that drop. While ransomware has decreased, it hasn’t gone away and the cost of recovering from such a destructive event plus the cost of lost productivity caused by the disruption is no small consequence. When all costs are considered ransomware events can run into the tens of thousands of dollars for even a small organization.
Why do hackers use socially engineered emails and media posts? Simple! It’s cheap, it’s easy and it works! What should they try to hack your network when it’s so much eassier to trick your employees into letting you in?
Industry statistic reveal that the #1 biggest security vulnerability in any organization is their own staff. Over 90% of all hacking and malware events is U.S. businesses can be directly attributable to employee errors or malfeasance. All of the hardware and software investments in security products can’t offset the risk of human error. Spending pennies per day to make your employees more aware of how to better protect your business and themselves seems a pretty easy call but . . .
To wrap up, it’s been proven in numerous studies that the #1 risk for you network is employee error and the most common delivery mechanism of threats to your business are e-mails and social media. Improving employee awareness of the risks they face every day not only with e-mail but weak passwords and general lax security practices should be a critical concern to every business.
Training should also not a “one and done” proposition. Keeping current fighting off those who would exploit your staff to gain access to your network is a constantly evolving proposition. Training must be consistent and constantly updated to stay abreast of the evolving threats you staff faces week after week. Like all processes you also have to constantly test the training to see how well the information is being retained by your employees. It’s critical that your staff be periodically tested with fake exploits to see how they react. If they fall for the fakes, it’s important that they experience follow-up training to improve their retention.
Certainly, you’ve got to keep investing in improved hardware and software threat mitigation processes like firewalls, intrusion detection devices and such but remember, the number #1 most exploited resources in your organization are your employees. Failing to recognize that will lead to eventual catastrophic results. Don’t be penny wise and pound foolish! Train your staff regularly on Security Awareness before it’s too late.
Jeff Hoffman is president of ACT Network Solutions, an IT Security Provider that has been serving the greater Chicago area for over 30 years. If you need help improving the security environment of your business, Jeff can be reached at security@actnetworksolutions.com or by phone at (847) 639-7000.