Five ways to stay cyber resilient as phishing scams rise

December 4, 2020
The Twitter breach was one of this year’s high-profile phishing attacks, but the social media company was not alone. Today’s columnist, Tyler Moffitt of Webroot, offers five ways companies can stay resilient in the wake of ever-rising phishing attacks. (Credit: CC BY-SA 2.0)
  • Ensure workers have clear distinctions between work and personal devices. The report found that one in three Americans use their personal devices for work, much higher than any other country surveyed. An additional 8 percent use their work devices for personal matters, while a whopping 43 percent do both. With so many employees working outside of traditional office settings, it’s difficult to enforce good boundaries. However, by ensuring workers have clear distinctions between work and personal time, devices, and obligations, businesses can reduce the amount of uncertainty that can lead to phishing-related breaches.
  • Invest in regular training. Despite many Americans claiming they know how to spot a phishing scam, 59 percent said they regularly click on emails from unknown senders. To help employees develop better cybersecurity habits as well as a healthy dose of skepticism, companies must invest significantly in regular training and education, including phishing simulations. In fact, 35 percent of employees said knowing what to do if they fall victim to an attack would help prepare them to handle cyberattacks, and another 30 percent said understanding the most common types of attacks would help prepare them to handle cyberattacks. As psychologist Dr. Prashanth Rajivan, assistant professor at the University of Washington, said: “I am a strong believer in reinforcement learning. Human behavior is shaped by past experiences, consequences and reinforcement. To see a real change in human behavior related to phishing and online risk-taking habits in general, people need frequent and varied experiences, plus appropriate feedback that incentivizes good behavior and disincentivizes poor behavior.”
  • Create a cyber resilient culture. Only 19 percent of American workers said they think all employees should play a role in their company’s cyber resilience. However, a culture of cyber resilience recognizes that everyone – not just IT – has role in cybersecurity. When businesses internalize this culture, they are better prepared, better able to respond and better positioned to experience growth. In addition to regular employee training, businesses can reinforce a cyber resilient culture by publishing regular communications on security topics in the form of emails, internal social media, posters and videos. Businesses should highlight real-world threats employees need to watch out for in their work and personal lives, and industry news about other businesses that were adversely affected by attacks.
  • Update software and systems regularly. Hackers often exploit security holes in older software versions and operating systems. Regularly updating software and systems closes those holes. Fortunately, the report found that about one in four people update their computer operating systems and software more often than they did when they did prior to COVID-19. Remind employees not to put off updates and to regularly update their passwords. 
  • Back up data and make sure employees can access and retrieve data from anywhere. Although the pandemic has brought a new reliance on cloud and collaboration services such as Microsoft 365, only 65 percent of American respondents said they or their company backup their Microsoft 365 files, leaving a huge gap in data recovery plans. Yet 58 percent have needed to recover lost files since the pandemic began. While Microsoft 365 ensures the availability of a company’s infrastructure, it’s important to remember that every employee must protect their own data. Microsoft recommends a third-party backup provider for the types of everyday data loss scenarios that businesses can face. Employees are dealing with a lot of stress today, and we don't have to add security to the list. By simply minimizing false confidence and empowering the workforce with tools and training, security teams can better equip employees to confidently -- and correctly -- make strong, secure decisions about what to click and what not to click.
prestitial ad