As the end of the year approaches, we celebrate all of the accomplishments of 2019 in our rearview and look forward to 2020 with great hope and expectation. At the same time, we enter the holiday season where we spend time with friends and family, go shopping, and celebrate the things that make us thankful. Though many people go on vacation, cybercriminals sadly do not. In fact, the opposite is true.
During the 2017 holiday season between Black Friday and New Year’s Day, there was an increase in cyber-attacks of 60% based on research by Carbon Black. According to Checkpoint during Black Friday of 2019, there was an increase in the use of retail phishing URLs of 275%! The sophistication of attackers’ ability to mirror the look and feel of legitimate brands paired with presenting offers that are too good to be true proves to be a powerful cocktail that persuades many to go to compromised sites, provide their credit card data, or engage malware that can cripple your network and damage your reputation. During this holiday season, I wanted to provide some guiding principles to ensure that the celebration of the holidays stays with the legitimate businesses and the cybercriminals get nothing but coal in their stockings.
An Ounce of Prevention
Research by CoDefense estimates the average cost of a phishing attack on a medium-sized company was around 1.6 million dollars. Based on a study by Proofpoint, 99% of attacks focused on the Human Factor. This means that cybercriminals are focusing on creating more sophisticated email and social engineering schemes to convince your users to click, download, or enter their credentials – and the results are expensive. Whether the message appears to come from Microsoft, Amazon or the CEO, the attacker’s methods for stealing the messaging, optics, and voice of the brand have improved to a level that makes it difficult for even savvy users to identify the differences. Due to this rising threat, every organization must take proactive steps to ensure that their employees are prepared to deal with these threats. By taking these attacks seriously and focusing on training users we can prevent the costly impact of a breach and data loss. In order to get ahead of the threat, we must adopt a paradigm and cultural shift that focuses on the ways that criminals use to attack us.
Marketing for Security
Cybercriminals will use fraudulent marketing literature and fake deals to entice employees and customers to take actions that are not in their best interest. Marketing is powerful and in the same way that it works to attract customers to our business, it can be leveraged to tout key security principles that can help prevent and defeat cyber-attacks.
During the Holiday season, employees are focused on finishing up year-end initiatives, preparing for vacations, shopping and other activities that can serve as a natural distraction from the vigilance they would normally exercise during other times of the year. With this in mind, it is essential to plan and execute an internal marketing strategy that puts cybersecurity at the forefront of our employee’s minds. Putting together newsletters, posters, email campaigns, social media posts and other forms of media could be the key to preventing an extraordinarily expensive mistake by an employee. Since 99% of email attacks require intervention from the employee for the attack to work, alerting our staff to the danger is a sure-fire way to reduce attacks. Since October is National Cyber Security Month, it would be a good idea to plan to keep your campaign running from October until the New Year.
Practice Makes Perfect
Another method of bolstering our defenses is by running simulated phishing attacks. My team is constantly looking to catch me in the act of sending a simulated phishing email, and for good reason, since I want them to be critical of the emails they receive. By sending them simulated phishing emails they get in the practice of identifying and defeating sophisticated phishing emails. Based on a Ponemon study, phishing simulations double employee awareness retention rates and yield a 40% ROI. When you consider that 95% of attacks on enterprise environments begin with a phishing attack, any edge we can get will help us avoid the dangers of a successful cyberattack.
In addition to marketing and testing, it is essential that you surround your organization with vendors and partners that share your diligence in addressing cyber risk. The integrated eco-systems that we all exist in necessitate the need to focus on third party risk. Any vendor that has access to your sensitive data is a potential area of weakness if their environments are compromised. Take the time when drafting contracts for business partnerships to require that your partners attest to taking cybersecurity risks seriously. Take the additional step to verify that what they say they do, they do. This effort, especially during the holidays could have a profound impact on the effort to protect your data and keep your business from suffering a costly data breach.
Together We Can
As we continue towards and through this holiday season, remember that cybercrime can be stopped and prevented in most cases. Cyber risk is no longer an IT problem, it is a business problem. The good news is there are many potential solutions out there that address the technical challenges. But our greatest challenge and strength is the capabilities of our people. When properly trained our teams can be empowered to usher in a secure holiday season and a prosperous New Year!