It happened again. Marriott had another data breach in June 2022. While the exposure of a reported 20GB of data isn’t anywhere near the 340 million guest records that were discovered breached in 2018, it’s pretty important to the 300 – 400 people whose information was compromised this time.
How did the hackers get in? They didn’t bust through technical barriers. It was one employee who succumbed to a social engineering ploy that opened the door and let the cyber criminal in. While all the facts of the cyber-attack aren’t known at this time, the incident is a wake-up call for anyone who doesn’t know that human error and lack of knowledge about cyber criminal tactics is the biggest threat to your cyber risk management efforts – and the very life of your business.
Cybercrime continues to be big business and you don’t have to be a global enterprise like Marriott to be a target. Small businesses are often seen as low hanging fruit by attackers who are looking for easy-to-steal confidential information and entry points for access to bigger targets.
What’s more, as they’re scheming how to do their dirty work, cyber attackers would much rather get your employees to open a door through their accounts than to find a way to go through your technical defenses.
How to Counter the Threat to Your Employees
Human behavior is the #1 leading cause of data loss, system failure and virus attacks. In fact, the Global Risks Report published by the World Economic Forum reports that 95% of cybersecurity breaches are caused by human error.
You may be inclined to look at your employees themselves as threats to your security – and insider threats are certainly plausible - but it’s much more helpful to consider the threats that they face every day.
The good news is that there are tactics you can use to prevent or at least reduce human error and poor judgement. Here are the top five:
1. Security Policies
Security policies inform and instruct employees on how to access data and IT systems. You most likely have a lot of these in your employee handbook and if it’s been a few years since they were updated, you no doubt have some changes to make. Not only does your network look different today, with remote workers, cloud services and Internet of Things (IoT) devices, but the threats that you’re facing are different too.
2. Least Privilege Access
Least privilege access goes hand in hand with your security policies and simply means that employees have access to the data and IT systems that they need to do their job and no more. Once you document what every job role needs, it’s important to revisit permissions on a regular basis to make sure that access to data doesn’t creep. For example, when an employee’s job changes, they could have added permissions that the person taking over their role wouldn’t need.
3. Multi-Factor Authentication (MFA)
Multi-factor Authentication might add another step to the procedure that employees use to access their accounts and your network, but the inconvenience is worth it because it puts a much bigger barrier between your network and a potential intruder. MFA doesn’t replace good password management but works in conjunction with it to lock down accounts.
4. Advanced Email Security
Email is a favorite vehicle for social engineering messages directed at your employees and an advanced email filter will help employees recognize fraudulent messages. For example, say there’s an email that looks like it comes from your CEO but it’s flagged as originating externally. That makes it easier to spot. Along with flagging external emails, an advanced filter will catch a lot of phishing emails preventing them from getting through in the first place.
5. Cybersecurity Awareness Training
Every company that wants to give their employees their best shot at becoming a strong defense against cyber intruders needs to provide ongoing cybersecurity awareness training. Modern training platforms use entertainment and gaming to make the training process as pleasant and impactful as possible. Training can be customized for employees that need a little more practice than others.
Equipping Your People to Manage Cyber Threats
You can’t leave cybersecurity to the tech team anymore. Everyone plays a role in keeping your organization safe from the threat of cyber attack. Send your people to the battle equipped with what they need to repel the threats that come at them every day.
Up Your Game with XperCARE plus DEFEND
Here at XPERTECHS, we work with clients to create IT and cybersecurity strategy that’s customized to their business and industry. The result is that executives have confidence that their running their business on a solid IT foundation and effectively managing cyber risks. If that’s not what you’re getting from your managed IT service provider, it’s time to up your game.