Doing Your Civic Cyber Duty

By   ISBuzz Team
Writer , Information Security Buzz | Jan 11, 2016 07:00 pm PST

How often do you think about your own cybersecurity? Unless you work in the IT department of a major enterprise or government agency, there’s a good chance you’re not thinking about it as often as you should be. Maybe you’re careful about what you share on social media, or have rewritten your passwords to use more complex character strings. But, do you use two-factor authentication, or password managers, or sandboxing services to scan inbound emails?

Maybe you think you don’t necessarily need to go this extra mile, and that these precautions are only optional. But, that would be a serious mistake. If you think about it, your identity itself is one big IP: your email, passwords, bank account and credit card information, Social Security numbers and so on. And, lacking more sophisticated threat protection for these pieces of personal information opens you up to a wide array of fraud and cybercrime risks.

Those concerns are further compounded at work, where your personal lack of email security could raise the risk profile for everyone you do business with, both co-workers and clients alike. It’s imperative, therefore, that individuals stop looking at cybersecurity as an optional luxury and start looking at it as their mandatory civic duty.

Imagine, in the future having a potential business partnership fall through because your company has a track record of data breaches caused by poor employee security or email protection. Or, being fired because you password-protected your work email with something like “12345” that ended up resulting in your entire system being compromised. A change in attitude toward personal cybersecurity can make all the difference in building stronger walls around sensitive data – and failing to do so can lead to more widespread data breaches and business instability.

Spear-Phishing and Social Engineering

When you consider how common targeted email attacks have become, the prospect of individual employees not doing all they can to safeguard their email from cyber threats sounds downright irresponsible.

Phishing and spear-phishing emails that contain malicious links or attachments account for a whopping 91 percent of all data breaches – and their impact can be seen all across the board: Anthem, Home Depot, the Pentagon and JPMorgan, just to name a few.

These incidents are just the tip of the iceberg, and represent a growing trend wherein entire enterprises suffered massive data breaches that resulted in the personal information of millions of people – including employees, clients and business partners – being compromised, all because a select few employees somewhere along the way fell victim to spear-phishing emails.

The Impact on Businesses

In the immediate aftermath of a data breach, a business may experience a drop in customer traffic and sales, particularly if payment information was compromised. Naturally, if customers can’t entrust their credit card information to retailers, like Target, they would be hesitant (to say the least) to return to the store anytime soon.

How long this decline in consumer confidence lasts depends entirely on how well the affected company handles the fallout, but the aftereffects can be especially damaging for retailers. A Retail Perceptions survey found that 12 percent of customers would stop shopping with a retailer after it was attacked in a data breach, 36 percent said they would continue shopping but spend less and 79 percent said they would refrain from using credit or debit cards at those stores.

The consequences of a data breach stretch even further, though. In the long run, a data breach can ruin a company’s reputation, making it difficult, if not impossible, to shake off their association with the incident. Look at Target: their breach occurred from an email phishing attack more than two years ago, yet everyone’s still talking about it today as the quintessential, go-to example. When you consider that 85 percent of those polled by Retail Perceptions said that if their payment information were compromised, they would share that experience with others, it’s easy to see how one hack could lead to years of damaging ripple effects.

Thanks to the FTC, there are now potential legal ramifications on the table for companies that fall victim to targeted email attacks like spear-phishing or fail to implement proper cybersecurity protection. The global hotel chain Wyndham Hotels & Resorts, which had been hacked three consecutive times within just over a year, was sued by the FTC for failing to implement reasonable cybersecurity protocols that would protect their customers’ information. When the FTC’s lawsuit was upheld by the U.S. Court of Appeals, the agency set a precedent where companies could be held liable to legal action if they don’t take reasonable care for putting cybersecurity controls in place.

Lacking personal email security could also raise risks for an employee’s job security. If an employee is hit by a spear-phishing attack that goes on to negatively affect the entire company, could they be reprimanded for that? Or even fired? It may not have been a malicious act on the employee’s part, but even as a mistake, that kind of negligence is resulting in greater and greater repercussions for businesses and may very well have to become a punishable offense in the near future. Terminating an employee over poor cybersecurity may also be just the kind of wake-up call needed to get more people to recognize the importance of adopting the proper email safeguards for themselves and those around them.

Changing the Social Outlook on Cybersecurity

As news stories of data breaches become more prevalent, the stigma around poor or absent cybersecurity will keep growing as well, in turn affecting a company’s ability to attract new customers or business partners.

Changing the public’s attitude on cybersecurity requires greater education about what spear-phishing looks like, and following best practices (like secure email gateways or firewalls) to better vet inbound emails.

It’s also important to impress upon employees their own personal responsibility in maintaining email security at work. The expectation can’t just be that it’s an IT responsibility or a C-suite responsibility that’s out of your hands anymore. It now falls on everyone to take reasonable care in protecting themselves.

This level of awareness needs to go both ways, though. It’s not just the rank-and-file employees who need to protect themselves and their email inboxes; their supervisors and managers need to take those same precautions, too. No one can think they’re “above” the need for email security.

Look no further than John Brennan, director of the CIA, for an example. Here’s a man whose career is all about managing spies and running one of the most prominent intelligence agencies in the world… yet, he fell victim to simple social engineering tactics that breached his personal AOL email account

According to the initial investigations of that breach, the hackers were able to get their hands on dozens of emails from Brennan’s personal account, including emails he had forwarded to that address from his government account. These messages allegedly included a range of valuable sensitive data, from Social Security and passport numbers belonging to his family to a spreadsheet containing the names and Social Security numbers of some U.S. intelligence officials. And while the documents obtained may have predated Brennan’s appointment as CIA director, the incident nonetheless represents a case where a serious breach could have been avoided had Brennan adopted some simple email security measures to protect himself.

Cybersecurity in Your Hands

Just like voting or jury duty, cybersecurity is an issue that affects everyone and, therefore, should be taken up by everyone. All votes carry equal weight in an election, all jurors carry equal weight in a court case and all email inboxes carry equal weight in how secure your business is (or not) from an external cyberattack.

[su_box title=”About Orlando Scott-Cowley” style=”noise” box_color=”#336588″]Orlando Scott-CowleyOrlando, a cyber-security specialist, joined Mimecast in 2006 in the company’s infancy and has been a key part of the company’s growth into the UK and USA markets. A technologies graduate, CISSP and CCSK he has a solid IT Security background and 17 years of high level Technical Consultancy experience, ranging from security & risk consultancy, to penetration testing and more technical specialisms.

Orlando writes and speaks for influential publications and events in the UK and US on a variety of topics from security, risk, compliance and in particular the emergence of cloud and SaaS technologies.[/su_box]