When we talk about cybersecurity, especially as it relates to cyber insurance, we spend a lot of time talking about everything that IT does in the background that protects a company—all the systems, the software, the company policies and procedures.
But we don’t spend enough time talking about the most significant risk (and the most common cause of a breach) … people. And that risk gets bigger the more employees you have.
Believe it or not, when it comes to cybersecurity, computers are the easy part. We can program them to do exactly what we want them to do. People, on the other hand, are an unknown variable.
To protect against your employees unknowingly creating a security breach, they need to understand the real, everyday risks inherent to performing their daily duties and accept their responsibility for keeping company data safe.
A Breach is Just a Click Away
Imagine your busiest time of the year is the fourth quarter. Your employees are not only hustling every day to meet clients’ needs, but also juggling holiday preparations and scheduling meetings around days off. People. Are. Busy.
A tenured employee gets an email from a vendor asking her to confirm information for a new order. The employee quickly glances at the email message and clicks the link that takes her to the vendor’s website where she enters her credentials and … BAM! The vendor never sent an email—it’s a phishing scam and she has fallen for it—and your nightmare has only just begun.
It’s that easy. Just one click. In my career, whenever I have counseled an employee who has fallen victim to phishing, I always hear some version of the same thing, “I feel so stupid. I am just so busy. I was working so fast; I didn’t even take the time to look at it.”
Well, guess what? That’s exactly what cyber criminals are hoping. They want you to be vulnerable, and momentarily foolish, and just open it without even thinking.
Sure, But My Insurance Protects Me, Right?
Today, all businesses need cyber insurance. But you can’t just buy the insurance and then walk away and say, “OK, now we’re good, we don’t have to worry about security.” Just because you have car insurance doesn’t mean you drive like a maniac.
No one wants to go through the aftermath of a security breach. Your insurance will cover many of the losses, but there is still some financial liability, and you can’t insure your reputation.
If a breach is big enough, it doesn’t matter if you have insurance to cover it, you still have a problem if no one trusts you with their personal information. Some businesses are big enough to handle that and get beyond it, but it could put smaller companies out of business.
So, beyond insurance coverage, you need to put practices in place to help manage the risks.
Building a Culture of Security and Accountability
Your lawyer will tell you that the severity of a data breach (and your potential liability) is determined by several factors, including the preventative measures your company takes to reduce risk. This includes not only the technical things IT does in the background, but also the organizational preparation (you know, the people side of things).
And what’s the best way to get people to do what you want them to do? Inspire them to want it, too! Here are some tips to help you build a culture around security at your organization:
Communicate Employee Handbook Policies and Procedures
A company needs cyber policies and procedures written down so employees can be trained and held accountable based on the known rules. The rules should be clearly communicated and repeated frequently and following them should be demonstrated from the top down.
Train, Test, Repeat
Training is an important part of your security communication. Security breaches can happen in a variety of ways from proper storage of client personal information (PI) to sending and receiving email. We all understand the allure of the blue link—it’s like candy—you just want to click and find out what’s hiding there. Employees need to be trained to look for the signs of a scam before they click.
One way IT can test employee knowledge is through social engineering tests provided by third-party security vendors. The idea is that the employee receives a simulated phishing email and needs to decide if it’s legitimate. If the employee recognizes it as fake, he doesn’t click and passes the test. If, on the other hand, the employee misses some key indicators and clicks a link or opens a document, he fails. Employees who fail can go through a coaching session to review key indicators, so they can recognize a scam in the future.
Knowledge is reinforced through repeated training and testing, but you want to keep employees engaged. Many companies keep employees involved by incorporating games and competition into ongoing security initiatives. For example, employees participate in trivia contests or role playing where they pretend to be hackers looking for ways into the system. You might even consider awarding small prizes to the winners.
Consistently Enforce Consequences
No one really likes to talk about discipline, but we all know that rules are useless without consistent enforcement. For example, you can write a policy that says, “Employees will not send clients’ personal information (PI) in emails.” But does your policy prevent anyone from emailing PI? Nope. So, what do you do when a busy, rushed employee forgets and sends PI in an email?
There needs to be a clear, known consequence for a policy infraction and it doesn’t necessarily need to be severe. In fact, most employee relations experts agree that discipline should be progressive and correlate to the infraction (let the punishment fit the crime.) But the message must come from the top down that this is not how we do things—there are real risks involved and we are all responsible for keeping information secure.
Plan How to Handle a Breach and Its Aftermath
The reality is that even in a culture of security, at some point somebody is going to click, and it won’t be a test. What happens next is mission critical to your ability to halt the breach and mitigate the damage.
Employees need to be trained to think of IT as 911 in a breach. Get on the phone and let the right people know as soon as possible. Whether it’s a virus, malware, or you clicked on a link, the threat is now in motion. We will worry about the consequences later.
If you have built a culture where the consequences of mistakes have been reasonable and consistent, you substantially increase the likelihood that employees will self-report an incident immediately. This is especially important because time is of the essence during a breach. The sooner that IT can respond to a known threat, the faster they can shut it down and reduce losses.
Security isn’t just about identifying risk, putting policies in place to reduce risk, and preparing for the worst. It’s how you handle a crisis in the aftermath that’s often met with the most scrutiny. Build a culture that can bounce back from a breach knowing everyone followed the game plan. Yes, there will be losses—that’s what your insurance is for—but if you cut the hackers off at the knees with your fast action, it might still feel like a win.
