Ten minutes, one hour, four hours, click. Postpone that annoying Windows update.
Avoiding that dreaded dialogue box that pops up on the screen twice a day is a no-brainer for many American employees who don’t want to restart their computers and install a software patch.
But in terms of cybersecurity, what seems like an immaterial decision can quickly become a pipeline for hackers and a major expense for companies.
As cybercriminals move faster and companies take longer to discover security breaches, employee training becomes ever-more crucial, said Amy Baker, vice president of marketing for Strip District-based Wombat Security Technologies.
“Simulated phishing and training is so important to help users protect against phishing and ransomware attacks,” she wrote in an email.
The WannaCry ransomware attack earlier this month — which affected more than 200,000 computers in 150 countries — proved that opting out of a software update may not only expose just a single computer to a cybersecurity breach, but it could spread to the rest of the local network like wildfire.
“If you have a version of Windows or Mac OS X that has a vulnerability, before the vendor patches it someone can write a worm to exploit that,” said Shaun Murphy, a former government consultant on cybersecurity and CEO of sndr.com, a communications and content sharing platform.
Employees don’t intentionally put their companies at risk for these types of attacks. There’s merely a disconnect between cybersecurity prevention tactics and the typical end user’s knowledge of online safety.
A March study by Pew Research Center indicated 75 percent of the 1,055 adults who took part in a cybersecurity knowledge quiz only answered two of 13 questions correctly. One percent of the test group answered all 13 questions perfectly.
The study suggests Americans are quite good at detecting secure passwords, but just over half of the test group could identify a phishing scam. Only 33 percent knew that “https://” in a URL meant information entered into the site is encrypted, as compared to “http://,” which is deceptively similar. And 48 percent were able to identify ransomware.
Ransomware — a form of malicious software, or malware — blocks access to a device or data until a ransom is paid. While just about 2 percent of victims actually pay the ransom, according a 2017 State of the Phish™ report from Wombat, there are further burdensome costs to employers.
From a financial perspective, the average annual cost to contain a malicious software infection is $1.9 million for a 10,000-employee business, according to the annual “Cost of Data Breach Study” from IBM and Ponemon Institute.
Retail chain Target knows the costs of malware all too well. In a November 2013 cyber attack, criminals exploited weaknesses in the discount retailer’s system, allowing a breach of the company’s customer service database. Over 100 million pieces of credit card or personal information was stolen, including customers’ full names, telephone numbers, email and mailing addresses, payment card information and even encrypted debit card pin numbers.
In Pennsylvania, 1.6 million consumer transactions were affected. Earlier this week, the state announced it would join 46 others in an $18.5 million settlement with Target.
Phishing scams, by comparison, accrue an average annual cost of $3.8 million in a 10,000-employee business, according to IBM and the Ponemon Institute.
Earlier this month, a Google Docs phishing scam compromised over one million Gmail users who clicked a false link. That move not only forfeited their login information and personal documents, but allowed the virus to send cascading emails to others under the alias of the original Gmail user.
Ms. Baker noted that the Anti-Phishing Working Group — a coalition focused on global response to cyber crime — found that after a 65 percent spike in phishing emails in 2015, the volume has decreased significantly.
“However, at the same time, ransomware attacks are on the rise,” Ms. Baker said. “Cybercriminals are definitely becoming more sophisticated — they’re diversifying their tactics now that end users are becoming more savvy.”
Training once per year does not suffice.
“Firms should apply a cyclical approach that both informs users about best practices and teaches users how to employ these practices when they face security threats,” she said. “We’ve also found that simulated training is working well among end users especially in identifying targeted attacks.”
Successful cybersecurity education must be continual and engaging, Ms. Baker said. “Hands down.”