Learning & Development

Cybersecurity Training: ‘Hacking’ Your Own Employees

Cybersecurity threats aren’t just concerns for national governments. They can and do impact countries of all sizes. Whether they are intended to steal sensitive corporate secrets, steal payment information, or disrupt service and take down websites, cyber-risks can pose significant financial, regulatory, and logistical challenges for businesses of all sizes.

Cybersecurity
Source: Abscent84 / iStock / Getty Images

Costs of Cyberthreats

When considered holistically, the cyberattacks themselves are only a portion of the costs. We can think of three separate buckets of cybersecurity costs: money spent on preventing attacks, the costs of the attacks themselves, and recovery from attacks.

“Ransom payments and data theft aren’t the only issue companies face after a cyberattack,” according to cybersecurity firm OBT. “The aftereffects are often far worse—often draining months of time and millions more dollars than the cost of the initial attack.”

The company goes on to note that an attack itself “often amounts to just 23% of overall costs. The majority of financial losses are due to system downtime, lost productivity, damaged reputation, lawsuits, regulatory actions and damage to infrastructures.”

Costs of Prevention

In terms of prevention, we’re looking at global numbers in excess of 13 figures. Garter puts the annual worldwide spend for information security at close to $100 billion. “Gartner’s forecast concentrates on corporate IT and includes categories such as IT security outsourcing, managed security services, consulting and implementation, infrastructure protection, application security testing, data loss prevention (DLP), endpoint protection, security information and event management (SIEM), secure email and web gateways, identity governance and administration, web access management, and other IAM,” the company says.

And even with all those components, information security is itself just one subset of the broader cybersecurity market, which is expected to exceed $1 trillion in cumulative global spending from 2017 to 2021.

Needless to say, cybersecurity is expensive, but not all of the industry best practices for keeping companies and their data safe from cyberthreats involve expensive software and IT infrastructure. In fact, the United Kingdom’s Information Commissioner’s Office reports that four out of the top five causes of data breaches are human or process error.

The Weakest Link

It’s commonly known that humans are the weakest link when it comes to cybersecurity, and indeed, four out of the top five causes of data breaches are human or process error. While this is a scary statistic, it’s also cause for hope because it represents relatively low-hanging (and possibly inexpensive) fruit for beefing up cyberdefenses.

Additionally, it’s simply not realistic to hope that nonhuman security tools will defend against all cyberthreats. There are simply too many that change too rapidly.

For example, News & Observer reports that North Carolina’s UNC Health Care in Chapel Hill, which employs 30,000 people across the state, sees over 90 million suspicious e-mails each quarter, although its internal security system manages to block around 90% of them. That means, though, that millions are still getting through to employee in-boxes.

Hacking Employees

Recognizing this significant threat, many companies are turning to the strategy of “hacking” their own employees. This involves sending malicious spam and phishing e-mails to employees to see if any take the bait.

In an interview for NPR, Lisa Kaplan, digital director for Maine Senator Angus King, explained how King’s reelection campaign team used this strategy with campaign staff. “We would try to get them to do things like change their password for their email or change their password for the database we were using,” Kaplan said.

When employees fall for these fake e-mail tricks, the next step is for their organizations to follow up with them with additional training and a reinforcement of company policies and best practices.

Targeting internal staff with fake cyberattacks might sound a bit over the top at first, but it makes good sense. The idea isn’t to shame or punish staff but rather to identify vulnerabilities and correct them. After all, it’s better that staff fall for a fake cyberthreat and learn from their mistake than to fall for the real thing.