Institutionalizing Awareness to Stop Cyberattacks

By Aimei Wei, Founder and CTO, Stellar Cyber

Large and mid-sized organizations are always hoping for a ‘silver bullet’ technology or tool that will stop cyberattacks, but after years in the cybersecurity industry, I’ve got bad news: there isn’t one. The sad fact is that employee behavior is usually responsible. Numerous studies have shown that 60-80% of hacks start with user errors, so companies have to take action to change that behavior. It’s about processes, not technology.

The most promising way for hackers to penetrate a network is phishing – they disguise their bogus emails or texts as warnings or pleas from legitimate financial institutions, social media platforms, or e-tailers. These messages usually ask the recipient to click a link to reset a password or enter a security code to cash in on an amazing offer, and when the link is clicked, the hacker gets carte blanche to invade the user’s system. From there, the hacker travels over the company network to the real target – the company’s financial data, intellectual property, or customer account information, or control over the company network.

Phishing attacks have become increasingly sophisticated — making them more dangerous — and they’re also becoming much more common. Security tools provider SlashNext issues an annual State of Phishing report. At the end of 2021, the company detected 50,000 malicious URLs daily, a 68% increase from the start of the year. Less than 12 months later, the company detected 80,000 malicious URLs daily, or 255 million attacks – a 61% increase.

These attacks are more than just nuisances; they impact corporate value. In 2021, Continental Pipeline paid a $5 million ransom to hackers who had locked up its network, and other significant breaches have cost tens of millions in ransom payments. Moreover, this past July, the Securities and Exchange Commission adopted a final rule requiring public companies to disclose significant breaches within four days of their discovery, so successful attacks can definitely impact corporate reputations. In many cases, public disclosures of breaches have caused significant drops in corporate share prices – look at MGM Resorts’ stock price since an attack shut down casino operations in early September of this year.

Lamebrained password techniques are also a problem. Despite numerous articles urging users to create complex passwords that they don’t reuse from one account to the next, rely on the random password generators offered on most account creation screens, or use password manager applications, many users regularly violate common sense by using passwords that are easy to guess, storing written passwords in plain sight, or otherwise making life easy for hackers.

Let’s face it: hackers are going to hack, and they’re becoming more numerous and sophisticated all the time. What’s a company to do? Educate, educate, educate!

By the way, there’s nothing new about this advice. The industry has been singing this song for many years, but corporations are clearly not taking it seriously enough. So, in the spirit of public service, I reiterate: train employees to recognize phishing attacks and use strong password etiquette, and hold monthly meetings to refresh their memories. Here’s a quick primer.

Basic Education

At a minimum, users should:

• Be careful when they open emails or click on links from people they don’t know or don’t trust
• Not give away private information in emails
• Think about what they share on social media and change their settings so only certain people can see their information
• Keep copies of important information in a safe place in case their computer or device is damaged
• Not use public Wi-Fi for things like online banking, and use a special tool called a VPN to keep internet activity private
• Use strong and passwords that are different for each account.
• Keep your computer programs and apps up to date, so they have the latest protection against hackers.
• Learn techniques that hackers use to trick people into giving them information, and be suspicious of things that seem strange or unexpected.
• Use two ways to sign into their accounts (multifactor identification) for extra security.

Keep the Threat Green

Don’t think that cybersecurity education for users is a one-and-done exercise: continually reinforce the above techniques with short monthly meetings. To make the meetings more interesting for employees, encourage them to show examples of the latest bogus emails or texts they have received. Maybe even offer a monthly prize for the sneakiest example of phishing.

So, yes, companies can and do spend millions on the latest cybersecurity tools, but the hacks just keep coming. By becoming more proactive in educating users about their role in preventing cyberattacks, organizations can cut their exposure in half. And remember, you’re not just protecting the network – you’re protecting the company’s valuation and bottom line.

About the Author

Aimei Wei has over 20+ years of experience building successful products and leading teams in data networking and telecommunications. She has extensive working experience for both early-stage startups including Nuera, SS8 Networks and Kineto Wireless as well as well-established companies like Nortel, Ciena and Cisco. Prior to founding Stellar Cyber, she was actively developing Software Defined Networks solutions at Cisco. Aimei enjoys building a product from its initial design to its final launch. Aimei has an M.S. in Computer Science from the Queen’s University in Kingston, Canada and an Undergraduate degree in Computer Science from the Tsinghua University of China. Aimei can be reached online at [email protected] or at our company website https://stellarcyber.ai.