As more and more global commerce and data management takes place online, the likelihood and potential impacts of cyberattacks are sure to increase. In an article for Harvard Business Review, Alex Blau cites some prominent and recent examples of the potential impacts of cyberattacks on even the largest and most sophisticated businesses:
“The average annualized cost of cybercrime for global companies has increased nearly 62% since 2013, from $7.2 million to $11.7 million,” Blau writes, noting that these are just average direct costs. “Target, which experienced a massive data breach in 2013, reported that the total cost of the breach exceeded $200 million. Verizon, which recently purchased Yahoo, may have snagged a $350 million discount because of three large-scale Yahoo data breaches that occurred in recent years,” he reports.
But Blau’s article also notes that while we typically think of cyberattacks and cyber vulnerabilities as highly technical issues, many of the biggest and most exploitable risks are actually caused by basic human behavior: procrastination when updating security patches, failure to follow policies on opening attachments, giving out secure information via e-mail or over the phone, etc.
Blau’s article goes on to describe several psychological insights into lapses in cybersecurity, as well as the practical implications of being able to identify those lapses. For example, Blau notes that “[o]ne of the most influential insights from the behavioral sciences is that whatever is in the ‘default’ position generally sticks.” So, for example, if employees have the ability to opt in to certain security best practices, as opposed to having to opt out of those practices (i.e., they are the default), they are more likely to overlook them.
Don’t let the term “cyberattack” fool you. Many of these attacks start out relatively low tech and focus on human vulnerabilities. While it can be daunting to think of the human risk that is ever-present in implementing a successful cybersecurity policy, that risk can also be viewed as an opportunity to make significant gains in cybersecurity, relatively inexpensively, by simply training employees on the potential risks and how to avoid them, as well as employing more rigorous requirements for their compliance.
Finally, don’t take a “one and done” approach to this important training and education. Frequent reminders and updates can help to ensure that cybersecurity is top of mind for your employees to help minimize risk to your organization and your customers or clients.