At Riot we talk to CTOs every day about their cybersecurity needs and we often notice the same trends. Very often the top priority of technical teams is to secure their infrastructure (which is quite normal). Good things that there is huge amount of tools and documentation to secure one's infrastructure these days.
In cybersecurity, human vulnerabilities are underestimated. Today, 90% of cyber attacks start with a phishing email. In reality, the top priority for companies should be to ensure that all employees are able to deal with a classic cyber attack scenario. Training their teams is a whole other challenge because it does not require technical skills but communication and education skills.
All cybersecurity issues often fall entirely in the hands of technical teams. It's not that simple, in cybersecurity everyone is responsible! The objective is to ensure that everyone has the right security reflexes in the corner of their head and knows how to react to the most common attack situations.
Marketing, sales, finance, accounting or HR teams are often the most at risk because they are the least aware of these issues. Yet these people have critical access to internal tools that could put your organization at risk:
Sales teams have access to your CRM
Marketing teams have access to tools like Google Adwords and Facebook Ads
HR teams have access to employee listings and payroll services
Finance teams have access to the company's bank accounts
Those accesses in the wrong hands could have serious consequences for your company. According to the American authorities, 60% of small and medium-sized businesses that have suffered a cyber attack have gone bankrupt within 6 months of the attack. It is therefore important to invest before this happens.
Let's do a quick exercise:
Close your eyes and think about your team...
Think about the person in your team who is the least computer literate
Now open your eyes and look at this phishing email:
Now imagine what would happen if that person received this email. Would they click on the link? Would they enter their password?
You get the idea.
In cybersecurity it is often said that the overall security level of your organization is equal to your weakest point. In this article you will find 5 concrete signs that are often symptoms of a weak and risky cybersecurity culture in an organization.
Computers, the internet and cybersecurity go hand in hand, the members of your team with the most understanding of these topics will naturally be more aware of cybersecurity risks. Knowing notions such as the http/https protocol, the functioning of a web browser or simply knowing what an IP address is can be key.
Beware! Having a particular ease for new technologies does not automatically confer good reflexes. The younger generations “digital natives” are not necessarily less at risk.
Since we all work on computers nowadays, remembering the basics of how a machine and the Internet work will make it easier for you to raise awareness about cybersecurity.
Your employees are watching Netflix on their professional machines
Before working at Riot I worked in a startup that grew very hard and very fast. Out of confidentiality, I will not share the name of the company but a little OSINT on LinkedIn should be enough for you to find out who it is.
Up to 60 employees managing our hardwares management policy was a nightmare. We all used our personal phones for work and our professional computers quietly at home (understand that watching Netflix on a Mac Book Pro with Retina display was better than my old Toshiba laptop).
In retrospect, this was a clear sign of a lack of organization and employee awareness in managing their professional equipments. Indeed, the slightest mistake (like downloading a fraudulent file) could compromise the employee's work computer and be an entry point for a cyber intrusion.
No, 12345678 is not a good password.
Have you ever seen a post-it note hanging on the screen of one of your collaborator's workstation like this one:
Or even better! A text file on one of your colleagues computer that is name like this: password.txt
Even worse, you discover that some of your colleagues are using weak passwords like 12345678, or YourCompanyName1234.
This is a clear sign that your teams are not aware of the best practices to adopt strong passwords. Indeed a visitor to your office could have access to critical accounts.
⚠️ Did you know?
How quickly do you think a hacker could crack the following password: 1234678?
Answer 0.00000111 seconds by using a password brutforcing software (Source)
Oops, I think I did something wrong...
Don't get me wrong, it's a very good reflex to go consult your IT manager when you have a doubt about the veracity of an e-mail for example. However, it often happens that employees consult the IT department when it is already too late...
The most common cases are the following:
Oops, I entered my password on a strange page after receiving a strange e-mail.
Oops, I made a 600€ transfer to a strange provider in Spain
Oops, I downloaded a weird file: trojan.vbs.
Oops, I bought Amazon gift vouchers because my boss asked me to (he made a mistake in his first name, it's weird).
And it's not over yet! Those who came to see you are only the tip of the iceberg! How many of your employees have carried out these actions without even consulting you?
This is a clear indicator of a lack of awareness among your employees! It is important to give them the keys to identify these risks and teach them how to react to this kind of situation.
Indeed, phishing remains the first entry point for cyberattacks. 90% of cyber attacks start with an e-mail. Cybercriminals will always try to trick your weakest employees into doing something in their interest.
In my old job, when I went to the coffee machine, I would often stop abruptly in front of a person I didn't know, standing in the middle of the office.
"Excuse me, who are you? "
"I'm Mr. What's-his-name, your colleague Mrs. Smith told me to wait for her here. The door was open so I came in."
Do you think that it worried me at the time? NOT AT ALL! I simply responded "OK" and went to make my latte with two sugars as usual! Why? Because nobody had trained me to react to this kind of situation!
Then 10 of our MacBook Pros were stolen (I let you do the math of the total loss) and the subject finally came up.
By the way, you should have seen the video of the surveillance cameras, the guy literally did his shopping with an incredible serenity.
Indeed cybersecurity is not just about computers. Physically securing access to your offices is also an extremely important topic. It is essential to train your employees not to let just any stranger into your office.
Any of these situations sound familiar? It's time to bring the topic of cybersecurity awareness to the table for your employees.
To build an effective cybersecurity culture in your organization, it's important to follow three pillars:
It must be shared among teams
It must be caring
It must be continuous and scalable
But building a shared, caring, and continuous cybersecurity culture is no easy task. Investing in the right tools is an option to consider.
Riot now helps hundreds of companies build a sustainable cybersecurity culture within their organization. We educate thousands of employees daily on how to respond to cyber attacks.
Riot's awareness program allows you to launch a comprehensive awareness program covering the majority of basic cybersecurity topics (Phishing, password, physical security) in just a few clicks.
In just a few months your team will be operational to face the most common cyberattack risks. Thanks to Albert chatbot, the courses interact directly with your employees, making the courses much more intuitive and enjoyable to attend.