My staff is going to write a post-breach reaction plan. Is there anything else that I need?
According to the 2022 Data Breach Investigation Report from Verizon, 82 percent of breaches involve a "human element". https://www.verizon.com/business/resources/reports/dbir/
So, if you cut the human mistakes, you cut your cyber risk, dramatically.
Minimizing human negligence requires changing human behavior. In a modern society, changing behavior requires training and training requires repetition until the brain is conditioned to recognize a threat, like a phishing email or understanding that leaving your laptop in the backseat of your car is not safe.
Part of being human is making mistakes so post-breach plans are great…I am all for them. Pre-breach training is even better because your goal is to never have to use that post-breach plan.
Think of cybersecurity like you would addressing a risk of fire in your home. Planning an escape route in case of a fire is very good…it can save lives. A smoke alarm is critical so you can be warned of a potential fire. Training your household on what causes fires and how to prevent fires lowers the risk of you having to use either the escape route or hear that alarm in the middle of night.
Oddly, organizations are doing a piecemeal approach, and too many are not training their employees on cyber risks, especially small- to medium-sized employers. According to a Canadian survey, only 34 percent of employees of small- to medium-sized businesses claim their employer provided cybersecurity training. https://www.newswire.ca/news-releases/only-34-of-small-and-medium-sized-business-employees-report-receiving-mandatory-cyber-security-awareness-training-876508519.html
The lack of training is troubling because of the extraordinary effort some cybercriminals go to in order to trick unsuspecting employees. Their efforts are masked as normalcy and routine. It reminds me of fixing fences on my family's ranch. You could see the dangers of a handling a barbed wire fence so you knew what to do, but a live electric fence looks harmless until you touch it.
I am not recommending you shock your careless employees. Instead, train them well enough to understand that a risk exists and to recognize their adversaries' purpose is deception. So, have that post-breach plan ready, just in case someone makes a mistake. Remember that an "all of the above" approach to cyber risk is always the best approach.
Jack McCalmon, Leslie Zieren, and Emily Brodzinski are attorneys with more than 50 years combined experience assisting employers in lowering their risk, including answering questions, like the one above, through the McCalmon Group's Best Practices Help Line. The Best Practice Help Line is a service of The McCalmon Group, Inc. Your organization may have access to The Best Practice Help Line or a similar service from another provider at no cost to you or at a discount. For questions about The Best Practice Help Line or what similar services are available to you via this Platform, call 888.712.7667.
If you have a question that you would like Jack McCalmon, Leslie Zieren, or Emily Brodzinski to consider for this column, please submit it to firstname.lastname@example.org. Please note that The McCalmon Group cannot guarantee that your question will be answered. Answers are based on generally accepted risk management best practices. They are not, and should not be considered, legal advice. If you need an answer immediately or desire legal advice, please call your local legal counsel.