Interviews | February 22, 2022

Helping Employees Keep a Pulse on Cybersecurity

By Irene Yeh, Brand Chain Staff

As technology advances, businesses are able to expand their reach to customers, as well as provide greater conveniences for companies to organize and store information. Now more than ever, the pandemic has influenced companies to shift their services and information online, and it seems like this trend is here to stay.

However, with this change, many companies also find themselves with new problems. Specifically, hackers are continuously generating new strategies to bypass firewalls and breach databases to steal information from businesses. It can be intimidating to tackle these cyber criminals, but it is not impossible.

We spoke with Nathan Mousselli, managing director of FTI Consulting, and asked him for advice and methods to protect information databases and how to prevent external threats from stealing data.

Even if an organization has implemented cybersecurity training, some employees still fall for phishing scams, fraudulent emails and more. How can you ensure that your employees consistently know what to look out for? How do you combat human complacency?

Cybersecurity is constantly evolving as threat. Threat actors adapt their techniques to take advantage of new vulnerabilities, organizational change and situational uncertainty. We saw this at the start of the COVID-19 pandemic. New phishing scams emerged that lured individuals to click on links or download attachments that appeared to provide new COVID-19 guidance. In times of uncertainty, it’s easy to set best practice aside.

To improve employee awareness and mitigate cyber risk, it’s important to educate employees on the latest cyber threats and indicators of fraudulent emails. Consider communicating cybersecurity trends, updates or incidents to your employees through a regular newsletter and sharing examples of phishing or social engineering techniques.

An organization should also implement regular cybersecurity awareness training. There are many virtual education programs that can help teach and test them on the latest trends and what to look out for. If possible, randomly test your employees with unexpected phishing simulations to exercise their ability to spot fraudulent emails and respond appropriately.

Complacency can be overcome by switching the mindset around cybersecurity from one of a workplace hindrance to that of a value add. Stress its importance to the viability of the organization, and in turn, the employee’s job.

Some employees may find certain digital or tech-based lingo difficult to follow. How would you suggest making training easier for employees to understand?

An effective cybersecurity employee training program should use examples, real world or hypothetical, analogies or comparisons, and simple language to educate individuals about important technical concepts and how they relate to the individual’s role in the organization. The program should not be overly technical and should emphasize that employees often serve as the first line of defense.

It’s critical for employees to understand how to prevent an incident from occurring and how to recognize when systems may be at risk of an attack. I’ve found that telling true stories and conducting demos or simulations are extremely helpful in illustrating how cyberattacks unfold and what the appropriate response should be.

Who is more likely to be hacked? Smaller or bigger firms?

Every organization is at risk of a cyberattack — no matter how large or small. We often hear in the news about large organizations experiencing massive data breaches or ransomware attacks, but small and medium-sized enterprises are also targets. They may have less mature cybersecurity programs and are therefore easier to breach, or they could serve as an entry point into a larger organization.

In FTI Consulting's latest Resilience Barometer survey, we found a negligible difference in the percentage of organizations that had not been negatively impacted by a cyberattack in the last 12 months, when comparing organizations with less than 1,000 employees (22%) to those with more than 1,000 employees (21%). At FTI, some of the most sensitive data breaches we have worked on have been the result of a smaller organization being compromised. 

If your organization suffers from a data breach, what are the consequences and liabilities? How do you gain back public trust?

Data breaches can result in financial loss, reputational damage and sometimes even litigation. IBM Security publishes an annual report, “Cost of a Data Breach,” where they categorize financial losses from a data breach into four categories: detection and escalation, lost business, notification and post breach response.

Lost business cost is usually the bulk of the financial loss, and it includes “activities that attempt to minimize the loss of customers, business disruption and revenue losses.” Because of this, it is vital to be proactive in your cybersecurity approach.

Organizations often feel they are secure since they have not suffered a breach, and thus do not want to invest additional funds where there may not be an immediate tangible return on the investment. Having a robust cybersecurity program and conducting training, vulnerability assessments and penetration tests, as well as planning for such incidents via an incident response plan, tabletop exercises, etc., can reduce your risk of being the victim of a cyberattack. That in and of itself is the return on the investment.

In the event of a cyberattack, it’s important to remember that how organizations communicate internally and externally about the potential breach can greatly influence public trust. At FTI Consulting, we have a crisis communications team dedicated to cybersecurity and data privacy incidents because of the impact of these breaches on reputation, and therefore the bottom line. To gain back public trust, it’s important to invest in your cybersecurity program and improve defenses to protect critical assets and sensitive information. Changes to improve cybersecurity maturity across the organization demonstrate a commitment to securing what matters most to your stakeholders.

When consulting with third-party experts, how can you determine that you can trust their knowledge and legitimacy?

Like with any third-party vendor, it’s important to conduct due diligence. I would look into the background and experience of the experts, ask for references and examples of their work, and leverage your internal teams to conduct interviews to vet the experts’ approach and methodology.

Looking for more info on how to keep your business up to date on the latest in cybersecurity? Visit the Brand Chain webinar archives (brandchaincommunity.org/ArchivedWebinars) and tune into Nathan Mousseli’s presentation, “Regulatory Compliance: What, When, Where, and Why.”

Tags:
Technology Business/Growth Strategies Interview Cybersecurity