“It is imperative to educate and raise awareness among the collaborators of an organization through a Cybersecurity Awareness Plan, in order to raise the preventive standard against cyberattacks.”
Based on US data. Norton, 75% of all cyberattacks start with the sending of an email. On the other hand, and according to Fortinet, 50% of all security incidents occur due to employee negligence. But what do these data tell us?
We can develop a robust master security plan, addressing the different technical levels, implementing controls and technologies in the cloud, networks, perimeter, internet, end-user, etc; however, we cannot ignore the weakest link and, perhaps, one of the most important in any development of a comprehensive cybersecurity strategy: The human factor.
And it is that a cybercriminal understands perfectly that one of the most effective ways to perpetrate a cyberattack is to take advantage of the vulnerabilities offered by an employee without training and without knowledge about the risks, threats and best practices in cybersecurity. A weak password like 123456 is a clear example of why human behavior is the weakest factor in implementing a cybersecurity strategy. And, although it sounds very obvious, these types of keys are very frequent in an organization, regardless of its size, industry or organizational culture.
This phenomenon occurs due to the lack of a Cybersecurity Awareness Strategy, Plan or Program, which is defined according to the type of company and its size. This type of initiative seeks to increase the “know how” of a collaborator, in such a way that it is capable of identifying basic risk factors to prevent a cyber attack.
And it is that the consequences of not having an Awareness Program increases the chances of suffering a cyber attack. According to the Ponemon Institute, in 2015 an attack derived from Phishing (email scam) cost approximately USD 3.5 MM, however, in 2021 that cost reached 7.5 MM. These attacks mainly occur because an employee clicked on a link or downloaded a malicious file from an email.
In addition to the obvious economic damage, a cyber attack generates two consequences that could be fatal. One of them is the reputational damage to the brand as a result of a cyber attack. In many cases where serious security incidents occur, companies end up spending millions to repair the image of a vulnerable or insecure company in the eyes of their consumers. An example of this is what happened in 2018 with Facebook and the security breach with Cambridge Analytica in which the latter used data from 80 million Facebook users to segment political campaigns.
There is also significant operational damage in the face of security incidents, such as what happened with Colonial Pipeline in 2021 in which, as a result of ransomware (attack in which data is sequestered and payment is demanded for the release of information), 45% of fuel distribution in the eastern United States was paralyzed, increasing prices for several weeks.
It is for all these reasons that it is imperative to educate and raise awareness among the collaborators of an organization through a Cybersecurity Awareness Plan, in order to raise the preventive standard against cyberattacks (and not only reactive), reducing the risk in the human factor and thus , complement the controls and technical measures addressed in a Master Plan.