The current approach to cybersecurity is retroactive. Many organizations naïvely believe they aren’t targets and that investing in cybersecurity is futile. With cyber attacks becoming more prominent, organizations need to take a proactive approach to cybersecurity, beginning with top-down awareness and followed by securing the organization’s biggest vulnerability—company email.
Creating a Cybersecurity CultureEmployees and members of the organization are the first line of defense against cyber attacks. How they conduct themselves online while at work and the overall cyber hygiene they possess impacts the vulnerability of the organization. All it takes is one weak password, connection to a public network, or a click on an unverified link to endanger an organization and make them susceptible to a cyber attack. Criminals go after targets that are the easiest and most profitable to exploit. An organizational culture that lacks emphasis on cybersecurity will result in more opportunities for a criminal to find an opening, because many employees don’t possess the awareness and education to offer initial protection.
In order to create a strong cybersecurity culture, there must be buy-in from all stakeholders, from the top-level executives to the summer intern. Below are suggestions on how to create a strong cybersecurity culture and increase organizational cyber hygiene:
- Implement continuous cybersecurity training for all employees
- Keep cybersecurity top of mind by discussing cyber attacks and breaches in the news
- Enforce the use of strong, unique passwords and update them at least every 30 days
- Have employees report any suspicious emails immediately
"If the cyber criminal gains access, the information inside must also be protected."
Securing EmailEmails are the focus of two main tactics that cyber criminals use, hacking and phishing. Securing email goes beyond having a strong password. If the cyber criminal gains access, the information inside must also be protected.
When an email is hacked, the cyber criminal uncovers a way to access a user’s account, most often, due to a weak password. If the user kept a clean email account and never sent personal or proprietary information, a hack would be minimally obtrusive. However, most people fail to realize the consequences of emailing sensitive information in the event their account was compromised. Work and personal email accounts are often full of financial, health, and employment information. This information is extremely valuable to cyber criminals.
Phishing has grown to be an extremely prevalent cyber attack, due to the profitability of ransomware. An estimated $209 million was paid in ransoms during the first quarter of 2016, according to a report conducted by Sonicwall. The most common form of phishing is when a seemingly legitimate contact sends an email with a malicious file or link attached that once downloaded/clicked will begin installing malware, often ransomware on the computer. Another form is spear phishing and can be extremely detrimental to an organization. In spear phishing, the email may be spoofed and appear to come from someone within the organization. The email will often request a wire transfer or information. There was a spear phishing case cited in a recent Clutch article where the cyber criminal successfully posed as an executive and requested payroll information from human resources (HR), and over 900 employees’ tax information was compromised.
Every employee with a company email is a point of entry for a cyber criminal. Initial precautions include a strong cybersecurity culture and good cyber hygiene, as previously discussed in this article. However, further precautions are imperative. Precautions that can be taken include:
- Ensure that emails are being scanned for viruses, but don’t rely solely on this.
- Use two-factor authentication to verify email login. This extra step impedes cyber criminals, and they may decide to move on to an easier target.
- Consider using an email encryption service that utilizes two-factor authentication and end-to-end email encryption to ensure emails are protected and exchanged between trusted parties.