Mark your calendars, unless you are too busy reading about the latest data breaches (Yahoo’s, at least going by the morning news). The Department of Homeland Security reminds us that October is “National Cyber Security Awareness Month.”
As worthy an effort as this is, in light of a slew of recent reports, surveys, and advisories, the whole year should be dedicated to cyber security awareness, 24/7.
Give Homeland Security credit for stating the case:
"We live in a world that is more connected than ever before. The internet touches almost all aspects of everyone’s daily life, whether we realize it or not. National Cyber Security Awareness Month is designed to engage and educate public and private sector partners through events and initiatives to raise awareness about cyber security, provide them with tools and resources needed to stay safe online, and increase the resiliency of the nation in the event of a cyber incident,” it says in announcing the initiative.
And there are valuable tools that come along with this. For example, the Financial Crimes Enforcement Center issued an advisory (albeit a month early), on how banks can detect and protect against commercial and personal email compromise schemes.
The advisory reports that since 2013, there have been approximately 22,000 reported cases of such email fraud involving $3.1 billion, and in some cases, financial institutions have absorbed losses through reimbursing customers. Of particular interest in this advisory is the long list of red flags banks need to take note of, as well as a list of common fraud scenarios.
All of which underscores the fact that cyber fraud never takes a break—and neither should the accompanying need for cyber security awareness.
Threats morph, but usual suspects remain
Kaspersky Lab reported that in the second quarter of 2016, it blocked more than 1.1 million financial malware attacks on users, a rise of almost 16% compared with the previous quarter. It notes that banking trojans remain the most dangerous of threats.
“New banking trojans have significantly extended their functionality by adding new modules such as ransomware. If criminals do not succeed in stealing users’ personal data, they will encrypt it and demand a ransom,” says Denis Makrushin, of Kaspersky Lab.
Not just “bad guys,” also “dumb guys”
Risks come not only from the outside in, but from the inside out. A Ponemon study, sponsored by Dtex Systems, finds that the frequency and volume of insider incidents caused by employee and contractor negligence averaged nearly $2.3 million per business.
“Companies perceive insider threat as mostly driven by malicious employees, but the fact is that a significant portion of the risk is due to insider carelessness,” says Christy Wyatt, CEO, Dtex Systems.
Along the same lines, a survey by First Orion finds that 4% of the 1,000 people surveyed gave away credit card information to scam artists—extrapolating to an average of 15 million Americans. And it is getting worse. Only 1% gave up their Social Security numbers in 2015, while 2.4% did this year.
“Scammers are getting more aggressive and becoming more effective at targeting our mobile phones,” says Jonathan Sasse, CMO of First Orion.
Which leads to something of a paradox, considering yet another survey, this one by Auriemma Consulting Group, which found that 46% of debit cardholders think it is likely that they will experience card fraud in the next five years.
What is curious is a subsequent question in this survey which was meant to gauge what consumers value most—security or speed. When asked about a hypothetical $100 purchase, 85% agreed that security is more important than speed. In the case of a $5 purchase, however, that dropped to 70%.
“In reality, the amount of the purchase has nothing to do with a fraudster’s ability to steal a consumer’s information, but consumers tend to care more about speed than security for smaller transactions,” says Jaclyn Holmes, senior manager at Auriemma.
At least the threat is being marked
These findings from the various polls and studies do point to the need for general awareness, and October is as good a month as any. Such awareness, however, should extend throughout the year, and should include strategic decisions on budgeting.
Robert Half Technology polled 2,500 chief information officers about how well-equipped they believed they are, compared with other companies, to respond to a security breach.
Fifty percent said about the same, while 37% said they felt more equipped.
However, when asked if they felt their security budget is ample enough to keep their organization’s data safe, 21% said it was not.
“Having the right systems in place to identify and respond quickly to threats is a key priority for organizations across a variety of industries, says John Reed, senior executive director for Robert Half Technology.
Which ties into a recent SANS Institute survey that seeks to compare what security practitioners consider valuable in preventing breaches, and what they actually use. Results:
• 85% consider blocking known malware as a preventive measure, but only 40% have implemented these measures.
• 63% consider robust testing as preventive—but only 39% have implemented robust testing.
• 60% consider metrics-based evaluation and reporting preventive, but only 40 percent use evaluation and reporting.
“We must change the way we think about cybersecurity today and address the gap between understanding preventative measures and actually implementing them,” says Rick Howard, chief security officer, Palo Alto Networks, in commenting on the SANS Institute survey.
Part of this means having breach response plans in hand, ready to go. One example of a resource for preparing such a plan was issued recently by Experian.
However, Experian makes a crucial point: “Response plans are not documents that should be created and then forgotten about until they’re actually needed during a breach,” says Michael Bruemmer, vice president at Experian Data Breach Resolution. “A response plan should be a living, breathing document that is practiced and improved upon regularly, not only as the company itself changes but as the business environment and outside threats, such as ransomware, evolve.”
Awareness isn’t nearly enough
So it really does all come down to awareness. As well-intentioned as “National Cyber Security Awareness Month” is, organizations need to keep such awareness front of mind the whole year.
To that end, Shred-it offers five strategies to keep cyber security awareness alive in the work place:
• Commit to a culture of security. Consider asking employees to take a pledge to make their workplace a more secure environment, and display that pledge in various locations throughout the office.
• Repetition and frequency are key. Consider a multichannel approach using a mix of in-person and digitally-delivered video training.
• Out of sight, out of mind. Place visual cues throughout the office to remind employees of their responsibilities in protecting confidential information.
• Go where your employees are. Ensure that your training addresses the safe handling and destruction of confidential information for both office and remote workers.
• Embed it. Enforce a clean-desk policy that encourages employees to clear their desks and lock documents in safe places when they leave their workstation at the end of each day.
“With employees returning to work in the fall, business leaders have a prime opportunity to engage their teams and raise awareness of information security risks,” says Andrew Lenardon, global director, Shred-it. “They can consider taking advantage of this time to launch a comprehensive training program that makes information security best practices a part of all employees’ daily routine and responsibilities.”
So, to repeat, October really is as good as time as any to boost cyber security awareness. Maybe, October to October.
Sources used in this article include: