Computers, devices and the internet are woven into the fabric of our daily lives, making it easy for us to forget that online interactions and email messages aren’t always benign.
The unfortunate results of a barrage of cyberattacks in the past year alone has clearly demonstrated that cybercriminals are putting in work to expand their operations. In fact, recent cyberattacks have illustrated just how many aspects of our daily lives are impacted by cybersecurity from shopping to seeing the doctor.
Protecting your business from cyberattacks may seem like a daunting prospect – in an IBM blog post, 25% of SME business owners said that they didn’t even know where to start with cybersecurity. However, no one has extra budget these days – a third of those SME IT decision-makers pointed to a lack of budget or resources as their biggest blocker to cybersecurity success. But businesses don’t have to blow their budgets to make security improvements.
These three tips can help every business be Cybersmart and stand tall in the face of surging cybercrime for less.
The first action that businesses can take doesn’t cost a penny: improve password security.
Cybercriminals know that the easiest, fastest way for them to gain entry to your systems and data is with a legitimate password and they’re doing everything possible to snag one – the more privileged that password is, the better. That’s why it’s paramount that you establish and enforce strict rules about generating passwords in your business. The Verizon/Ponemon Institute Data Breach Investigations Report 2021 revealed that bad, cracked, stolen and recycled passwords were the biggest data breach menace that businesses of every size face. More than 60% of the businesses that they analysed had suffered a cyberattack that began with a compromised credential and ended in a data breach.
Credentials were the top type of information stolen in data breaches worldwide in 2020.
About 60% of passwords that appeared in more than one breach in 2020 were recycled or reused.
An estimated 65% of employees use the same password across multiple work and home applications.
It’s not hard for cybercriminals to find a company’s legitimate passwords through password cracking software or even just outright guessing. How does that work? People love to talk about themselves and their interests online. Does your LinkedIn profile talk about how devoted you are to your favourite football team? Is your Facebook full of Baby Yoda memes? Do you share makeup tips from Instagram influencers every day? All of these things give cybercriminals clues that help them figure out your password.
Simple, common, recycled passwords make a cybercriminal’s job easy if they’re using password cracking or credential stuffing too. Why? Based on an analysis of the data that was collected in 2020, an overwhelming majority of passwords fit into one of 20 common categories. That fact allows cybercriminals to use huge lists of passwords stolen in earlier breaches to conduct future cybercrime operations.
Almost 60% of employees use a person’s name or family birthday in their passwords, 33% include a pet’s name and 22% use their own name. On top of that, 49% of users will only change one letter or digit in one of their preferred passwords when required to make a new password. Don’t make it that easy for the bad guys.
Don’t reuse or recycle a password anywhere for any reason.
Do build strong unique passwords for every online account
Don’t make passwords that fall into a common category
Do make sure your password isn’t easy to guess
Do consider using a password manager to maintain your list if unique passwords
Cybersecurity isn’t just a job for the IT department, but that can be hard for employees to recognise, especially if they don’t consider themselves “tech people”. Unfortunately, that perception often leads to employees not engaging with security awareness training and not carrying the good cybersecurity practices that they learn over into their everyday actions. That expectation may also be at work on the executive end of the equation too. By not running regular training sessions or only giving a few employees training against certain threats, companies fail to utilise all of their human resources to keep an eye out for trouble. Internal blockers can also discourage employees from taking an interest in cybersecurity, a tragedy in a time when businesses need all the help that they can get. Eliminating those blockers will create a stronger security culture, making your business more cyber resilient.
Just under 30% of employees fail to report cybersecurity mistakes out of fear.
A full 50% of employees don’t report clicking on a phishing email to avoid disciplinary action.
An estimated 60% of employees open suspicious emails for fear of misidentifying a message.
No employee should be afraid to ask for help around security issues. When employees fear losing their jobs because of a security mishap, small problems don’t get reported, giving them time to grow into giant disasters. Improved security awareness can also quickly reduce a company’s risk of malicious insider incidents. In a business with a healthy cybersecurity culture, employees feel confident that they can ask for help freely whether they just have a question, they made a mistake, they are unsure about something or think that they have spotted a phishing attempt, and that brings benefits that can’t be measured.
Don’t threaten employees with termination if they make a security mistake
Do make it easy for employees to ask questions or get help around security
Don’t just make cybersecurity the IT department’s job
Do make every employee feel that they are invested in company security
Don’t fail to set policies that encourage smart security behavior
Don’t have one set of policies for employees and another for executives
If you want your employees to protect your business from cyberattacks, they’re going to need a quality toolkit and the training to notice potential trouble spots. The power of security awareness training is immense, and it starts right away.
In a UK study on the effectiveness of phishing simulations, researchers discovered that 40 – 60% of the surveyed employees were likely to open a phishing message at the beginning of the study. However, after about 6 months of training, the percentage of employees who took the bait dropped 20% to 25%. Even better, after 3 to 6 months more training, only 10% to 18% were likely to open a phishing message, a steep decline.
Regular security awareness training clearly works. Having the right tools available is also essential. If you’re relying on old, clunky, hard-to-use tools for your day-to-day operations, you’re not only opening your business up to security risks from potential cyberattacks, you’re also making it hard for your employees to follow safe behaviours or take security seriously – and that can mean the difference between a crisis averted and a disaster landing on your doorstep.
One tool, multifactor authentication, stops 99% of password-based cybercrime
Automated email security catches 40% more phishing messages than conventional security or a SEG
Security awareness training reduces the chance of a damaging security incident by up to 70%
It’s not necessary for businesses to splash out cash on dozens of fancy security tools. Having too many security tools is just as bad as having too few. But it is essential that you provide the right tools and training to build a foundation for cybersecurity success. However, a stunning one in three small businesses with 50 or fewer employees relies solely on free or consumer-grade cybersecurity tools for protection. Even worse, an astonishing 60% of business leaders revealed that their companies didn’t have a cyberattack prevention plan in place at all and had no foundation for incident response. Give your employees the tools, training and support that they need to succeed and they will help keep your business safe in a stormy cybersecurity landscape.
Don’t use security awareness training as a punishment
Do run security awareness training at least 11 times per year
Don’t make employees afraid to lose their jobs if they report issues
Do make sure that everyone from the Directors to the apprentices receives regular training
Don’t rely on a patchwork of old tools that make maintaining security more challenging
Do make it easy for employees to get help when they have a security issue
MSnet was founded with a passion to assist businesses from the threat of Cybercrime.
Our Mission is to empower businesses with the knowledge, Training and Services required in safeguarding them from Cybercriminal activity.
If you would like more information please reach out our team on 01489 539700 or use the Contact US button below