CyberWyoming note: In collaboration with the Identity Defined Security Alliance, CyberWyoming is releasing a four-part series of blogs on Identity Management for Identity Management Day on April 11, 2023.
Day 1 – What Is Identity Management and Are Your Employees Taking It Seriously? https://cyberwyoming.org/day-1-what-is-identity-management-and-are-your-employees-taking-it-seriously/
Day 2 – What Is a Culture of Security? An Example https://cyberwyoming.org/day-2-what-is-a-culture-of-security-an-example/
Day 3 – How Small Companies in Wyoming Can Create a Culture of Security https://cyberwyoming.org/day-3-how-small-companies-in-wyoming-can-create-a-culture-of-security/
Don’t Wait Until a Crisis to Meet Your Local Tech Team!
“We’ve been educating people on good cybersecurity practices for decades. Public campaigns and organizations who us the best ways to protect ourselves online and stay safe from cybercriminals. Yet, cybercrime is still a major global challenge.”– Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2021
The absolute worst time to ask for help from someone you don’t know is when you are in crisis. CyberWyoming received a call from a business about 3 years ago that had a data breach. The company didn’t have any relationships built with their insurance company, local economic development agency, attorney, or technical professionals. While they had insurance, they had never talked to their agent about the possibility of a data breach. The business owner didn’t know who to call or what their roles should be.
Developing those relationships and discussing roles before something happens is important. Even if you feel you don’t really need IT help because your business is too small, it never hurts to ask your local IT rep out for coffee to develop that relationship. Talking to your local insurance agent about cyber attacks and data breaches to see what the process would be if your company fell victim is important. Contacting your attorney to see if they have the expertise to help your company if the worst happens is also a key. If your business is hit with something major from the internet, you will be glad you did!
Cybersecurity is really about relationship building and understanding roles. It isn’t any different from any other business networking to solve a problem or provide a solution.
According to CyberNews (https://cybernews.com/security/top-5-industries-that-fall-victim-to-phishing-scams/), 1 in 3 employees are likely to click on a phishing email. This information is based on studies where employees are sent risky emails to see who will fall for them. In fact, when testing a phishing product for a Wyoming Cybersecurity Competition participant, even a CyberWyoming employee clicked when they shouldn’t. “If you get in a hurry and want to be productive, it is easy to click on an unsafe link in email. Productivity is a risk factor for clicking when you shouldn’t,” said Laura Baker, CyberWyoming Executive Director, and manager of Wyoming’s Cybersecurity Competition for Small Business program.
In 2022, Reddit was the victim of a spear phishing attack which targeted employees logging into what they thought was the company network (see https://blog.knowbe4.com/reddit-spear-phishing-attack-data-breach for more information). Very soon after the attack, the employee who fell for the scam alerted their security department which was able to limit the damage.
It is important while building your culture of security to make sure employees feel safe to report their errors. The Security Magazine reports that 1 in 4 people who make a security mistake are fired, and that fear may keep some of your employees for admitting their mistake before it is too late. https://www.securitymagazine.com/articles/97321-1-in-4-employees-who-fell-victim-to-cyberattacks-lost-their-jobs
It is critical to work with employees help them understand how important their role is in protecting their co-workers, their customers, and themselves. No one needs to live resigned to a world where our data is stolen on a regular basis. Employees can understand they are not sheep, and IT can only do so much to watch out for the bad guys. Instead, each one of us can help to ensure this marvelous, interconnected world that gives us so much good stays safe for everyone.
You don’t have to do this work alone. CyberWyoming can help! Join Wyoming’s Cybersecurity Competition for Small Business to learn how to create a secure company culture. Email firstname.lastname@example.org and see https://cyberwyoming.org/competition/ for more information.
In 2021 and 2022, the National Cybersecurity Alliance published annual reports of studies on the behaviors and attitudes that impact cybersecurity. The studies aim to illuminate one of the most important aspects of cyber risk: the human factor, and it was conducted through a survey of two thousand people in the U.S. and U.K.
The 2022 report is available here https://www.cybsafe.com/whitepapers/cybersecurity-attitudes-and-behaviors-report/.
The studies focus on the following core cybersecurity behaviors: passwords, multi-factor authentication (MFA), installing updates, checking that an email is legitimate, recognizing and reporting phishing, and backing up data.
About Wyoming’s Cybersecurity Competition for Small Business
In its sixth year, Wyoming’s Cybersecurity Competition for Small Business is one-on-one, on-the-job, human focused security training that starts with the company’s mission statement and ends with security policy writing. Wyoming business leaders meet their security goals and have increased confidence with the subject, better relationships to support their security efforts, and improved products and services as a result of completing the program.
Registration continues through May 1. Winners receive cash prizes and a speaking engagement at the annual cybersecurity conference. https://cyberwyoming.org/competition to register.