What is the best way to handle accidentally letting someone into your organization? Tell someone – and quick.
October is cyber-awareness month, forcing us to remind ourselves that the risk of phishing and cyberattacks against businesses continues to grow apace. And it’s a real fear for organizations that an errant employee clicking on an unknown link can quite easily give away the keys to the kingdom for the entire business. Research by Cisco found that at least one person in 86% of organizations last year clicked a phishing link.
Clicking on those links can spell doom for any business that employee works for: around nine in 10 data breaches can trace their roots back to a phishing attack, according to the same Cisco research.
But the simple fact of the matter is it happens. Any business that employs human beings will find that humans inevitably make mistakes. It is, after all, what makes us human. The real challenge is what happens when your employee clicks that link and how they then act.
Fess up as soon as possible
No one likes to admit that they’ve made a mistake in their workplace. Apart from the human embarrassment that results from knowing you’ve messed up, there’s a more fundamental worry that the challenging economic climate has caused. Saying that you’ve made a mistake – particularly when it can potentially allow hackers to get access to all your company’s servers – is a big step to make and could risk you losing your job.
At a time when competition for jobs is higher than ever, and many countries are teetering on the edge of recession and facing a cost of living crisis, admitting such a costly mistake could end up in unemployment. For that reason, some employees may be reticent to step forward and admit that they’ve clicked on a dangerous link.
For businesses, the short-term benefit of firing that employee, or putting their job at risk, is nothing compared to the long-term pain that can result from a cyberattack. For that reason, it’s vital that organizations ensure they have an open, welcoming response to anyone admitting to clicking on a phishing link. There should be a zero-blame, zero-repercussion approach to these things in order to encourage people to admit their mistakes.
Why speed is of the essence
The reason that you need to encourage people to come forward to admit potential mistakes is that every second counts when you’re trying to head off a cyber incursion. A study by Michel Cukier, Clark School assistant professor of mechanical engineering and affiliate of the Clark School's Center for Risk and Reliability and Institute for Systems Research, found that hackers are trying to launch attacks against would-be victims every 39 seconds.
The trade-in breached servers and stolen credentials are so speedy that someone could break into your company’s system in the morning and have sold access to it through a dark web or hacking forum by lunchtime. Cybercriminals usually take just 9.5 hours to gain access to a target’s network, while companies often take days, weeks, or even months to identify where they’ve been breached and to plug the gap.
"There’s no such thing as a riskless internet, data breaches happen. However, having a cleaner digital footprint is not just about potential data breaches and keeping your data safe from the hands of hackers, but also it’s about the representation of yourself online," Gal Ringel, the CEO and Co-Founder at Mine, told Cybernews.
It’s important to impress on employees the sheer disparity between the speed at which hackers can attack and the speed at which businesses scan their systems for signs of incursion. Even a business that monitors its servers nightly would probably find out too late that something had gone wrong if it wasn’t proactively reported. Sooner or later, it all comes to light, so it’s better to report it early.
Turning the idea of reporting where you’ve gone wrong from the point of shame to the point of pride is vital. Explaining why it’s important that speed is of the essence and that people often make mistakes when it comes to phishing is crucial.
Flipping the idea of responsibility on its head means pointing out that employees who fall victim to phishing attacks aren’t irresponsible – they’re just human. However, those who report being tricked are responsible. These are all methods of ensuring people fess up when things go wrong. And ultimately, that can keep your business safe.
More from Cybernews:
Subscribe to our newsletter