Source: NC DOJ 2022 Breach Report
Presented by Brian Vigna, Instructional Designer, NC State University Industry Expansion Solutions (IES)
This webinar is for small business owners and managers as well as employees involved in security planning.
Welcome to Cyber Security Awareness Month! October is the 20th anniversary of Cyber Security Awareness Month, and a perfect time to think about cyber security at your business. Cyber security is inaccurately thought to be exclusively a set of hardware and software applications like firewalls, technical controls like minimum password length, and regulations requiring audits. While those items are a key part of a cyber security strategy, they miss one of the most important pieces of the puzzle.
In North Carolina 1,900 breaches were reported by businesses and agencies, with more than 90% caused by hacking and phishing. The reported breaches impacted “general business” more than 50% of the time, outpacing education, healthcare, financial services, and government combined! (Click here to read the full NC DOJ Data Breach Report). If the message still is not clear, small to midsize businesses are the top target, and the most common attack relies on humans falling for scams.
Building a cyber culture is about much more than locks on doors and advanced encryption. In fact, it can be argued that the people who work at your company are the best defense against hacking and fraud. So, what can you do to build a strong cyber culture? Let us cover some of the best methods to move from passive to active in your approach to cyber security.
- Share the Load– Remember that breaches don’t typically happen to the IT team, they can happen to the accounting team, the shift supervisor, or anyone else. Excluding folks from the cyber conversation is a mistake, and antiquated thinking. Include everyone in training, awareness efforts, and ongoing conversations about cyber security. Hackers are attacking small to midsize businesses because they have smaller IT staff, and fewer technical controls. In addition, these hackers target regular employees, vs. Trained IT staff. Keeping everyone in the cyber conversation is a great way to operate as a secure organization.
- Keep the Conversation Going– Cyber security training once a year is a start, but certainly not the best way to ensure all employees are ready to identify and respond to breaches. Try adding a cyber minute or tech talk to weekly or monthly meetings, print out tip sheets or visual reminders of phishing and post them in common areas, use real world examples of breaches and phishing to get conversations started and remind employees to “say something, if you see something”.
- Require Training for All Employees– Training is non-negotiable! That means all new hires, regardless of role or previous experience. Training should cover phishing, phone scams, email scams, and include examples of phishing emails and scams. Employees should be retrained annually, and occasionally be exposed to scenario-based training like a mock phishing simulation with employees. Reward positive behavior, maybe some doughnuts!! Never punish employees for mistakes in this training environment. Consider providing small prizes to those who perform well and are engaged in activities. Watching a 15-minute cyber security video is a great start, but the more we let employees actually experience what a breach might look like, the better chance they respond properly when the real thing happens.
- Create Clear Personal vs Professional Use Policies– Email breaches accounted for 29% of all reported breaches in NC in 2022. The NC DOJ recommends limiting or eliminating the exchange of personal information available through email, minimizing the risk of a breach. This also means using unique passwords and account names on business accounts. Keep company data on company devices and keep personal data and activity on personal devices!
- Avoid Shame and Blame– In cyber security the old saying is, “it’s not if data will be hacked, it’s when”. Simply put, breaches are likely to happen on a long enough timeline. When breaches occur, it’s important to have a plan in place, a reporting structure, and practice reacting to these situations. Another important message is to remove blame in these unfortunate situations. Remind employees that reporting a suspected breach will be met with understanding and not punishment or embarrassment. If your staff is afraid of being fired or reprimanded, they are significantly less likely to report potential breaches. We need all hands-on deck for cyber, and nobody should be fearful of retaliation or disparagement.
Cyber Security can quickly become a part of the culture of any organization, no matter how big or small. The key is to get everyone involved, talk about the issue, create resources to help employees identify and respond to potential breaches, and give everyone a chance to experience these attacks and practice skills to avoid them. If we work together, all North Carolinians can be more cyber secure!
Don’t forget to attend our upcoming webinar, “Practical Steps Towards Cyber Security” if you want to learn more about the technical controls and planning that can make your organization more secure.
Brian Vigna is an Instructional Designer and Security Awareness Training Specialist in the professional learning and instructional design unit for NC State Industry Expansion Solutions (IES). Brian has worked as an adult educator, trainer and instructional designer for more than a decade. Brian has taught a variety of information technology certification and professional development courses at the collegiate level, with small businesses, as well as in collaboration with the United States government. Brian is currently certified in CMMC (Registered Practitioner), CISSP, CompTIA Security+, CompTIA A+, CompTIA Network+, CompTIA Cloud Essentials. He is a Microsoft Certified Professional, AWS Solutions Architect and an AWS Cloud Practitioner. Brian is also currently pursuing a M.S. in education from NC State University.