Its subtitle is “Decoding the Minds of Hackers”. The Black Report is an amazingly comprehensive survey of people who are professional cyber break-in artists. Fortunately, most of them are on the right side of the law. They work for companies who offer their hacking skills to test a client’s cyber security.
The report is full of all kinds of interesting nuggets that will scare any company exec. For example, most of the respondents say they can crack through an organization’s online security and access the data in less than 15 hours. Even more frightening is that the average length of time between when the break is made and the target discovers the problem is between 200 and 300 days. In other words, once they’re in they have between six and eight months to play around before someone pulls the cyber alarm.
So, what does this have to do with communication?
Nearly half of the hackers who responded say they like to use either social engineering or phishing attacks. In essence, they bypass the complicated firewalls and head straight for the weakest link: employees. They send emails with links that once clicked, lets the hacker into the system. In some cases, they actually resort to using the old-fashioned telephone.
That’s why it’s not a shock that a 2017 survey by the Ponemon Institute found that 92% of malware is delivered by email. A company called AlertLogic did the math and figured out that each user at a small business receives an average of nine malicious emails per month. If you have 10 employees, that means your company is facing 90 emails with malware every month. Those emails work for only one reason: an employee clicks on them.
It’s really no surprise that the human element is so fragile. What is surprising is that so many companies either ignore or simply accept that risk. About one third of those surveyed in the Black Report say that neither technology nor people alone can solve cyber security problems. It needs to be a combination of both.
And those efforts must be communicated.
Staff is always annoyed when some new firewall or security measure is put into place. Suddenly they can’t access the things they could yesterday. It now takes three steps to do what one or two did last week. They view it as an attack on productivity.
Often times that’s because the reason behind the changes aren’t explained. Employees don’t know about the number of times the organization’s firewall was breached. They know nothing about the incident where accounting turned over sensitive information after being spear phished.
So tell them. Let them know when something went wrong. And if it didn’t happen at your organization, talk about what happened to another company across town. Explain how that company’s email was shut down for an entire day because one person clicked on the wrong link. Or how a ransomware attack was so costly, it cut into company bonuses. You don’t even have to make it up, there are plenty of examples out there. It’s not fear mongering. You’re simply giving your staff information so they understand why security measures were put into place.
And that communication has to go both ways. When an employee spots a malicious email, someone in IT has to thank them. When a staff member reaches out to learn more about how to battle the bad guys, they need to feel that they’re actually getting help.
There will still be plenty of people who ignore the message and click on malicious links. You won’t get them all. But every employee who does listen means one less chance that a cyber crook will infiltrate your data. And the best part? It didn’t cost a thing. Just a little time spent communicating.
That doesn’t mean the Black Report still won’t scare the daylights out of you. But at least you know you’ve taken the first steps towards some restful sleep.