Recent hacks at Uber and Rockstar games have many companies on edge, wondering about their own security. For many, the hacks have highlighted a huge vulnerability that every company has, regardless of size and industry. Human error. The number one vulnerability for any company is their employees. Let’s be clear, we’re not saying your employees are out to intentionally sabotage your company. That might actually be easier to spot and stop. Rather, we’re saying that the unintentionally bad call is easy to make. This is why ongoing cybersecurity training for your business is vital. Mark Jordan, Director of Cybersecurity at Hill Country Tech Guys echoed the need for ongoing conversations around the hack. “Time and time again, massive breaches like this one are the result not of highly sophisticated intrusion methods, but rather tricking an unsuspecting employee into simply opening the door for them.”
How Was Uber Compromised
Most companies have 2 factor authentication or multi-factor authentication set up for access by employees to their tools. These systems create checkpoints to ensure that the person(s) attempting to gain access do in fact have permission to do so. In Uber’s case a push notification was spammed to employees repeatedly until someone finally accepted the request, granting access to the threat actor. The consequences are dire.
The solution isn’t as clear as the threat, and that’s a big problem for most companies. There’s no one thing you can do to stop threats from coming. The numbers paint a frightening picture of the current landscape of data sabotage in 2022.
According to The State of SMB Cybersecurity in 2022 from ConnectWise, “76% of SMBs in the 2022 study have been impacted by at least one cybersecurity attack, a considerable increase compared to 55% that said this in 2020.”
What Basic Steps Can You Take to Help Protect Your Company from Threats?
Cybersecurity Training for Employees
When most organizations think of cybersecurity training, they likely envision a one-time training on how to securely operate. This simply isn’t enough. According to the same report, 67% of companies don’t feel they have the in-house skills to adequately handle security issues. If a company the size of Uber, with the IT and security budget to match was so easily taken down its not far-fetched to assume it would likely be just as easy, if not far easier to compromise most small and medium businesses.
2-Factor and Multi-factor Authentication
Yes, the hacker was able to socially engineer their way through these systems but that doesn’t mean they shouldn’t be a component of your company’s security. These systems are built to be a sort of armor for passwords. Passwords are (generally) created by the user, making them easy to figure out because people often use information they can easily recall like names, birthdates, pets, etc. Additionally, there are programs that can be run to try infinite combinations until they crack the “code.” Further authentication is just a double check. It’s like your computer, phone, or account saying “hey, just want to be sure this is really you?”
Robust Passwords That are Frequently Updated
This seems like a no-brainer but as we stated earlier, people like to create passwords that are easy to remember, often using the same password across multiple devices and accounts. Ensuring a minimum number and the use of special characters will significantly increase the security of every password in the organization. Requiring employees to update these passwords frequently will help keep your defenses tight.
Communication is Key
If your employees don’t know what the vision is, how can they help your organization achieve it? Including your workforce in conversations around the goals and roadmaps to meeting those goals is vital to the creation of an effective security protocol. When the policy changes (and it should change and grow with your organization), employees need to be updated. Often these updates are cascaded by email but there are more effective ways to have these vital conversations. Utilize staff/ departmental meetings. Have leaders create videos explaining the updates and their significance. Invite employees to ask questions.
Ongoing Cybersecurity Training Makes a Difference
People tend of think of “hacking” as this complex system. Often, access is gained because the users are lazy. They may not even realize they’re being lazy; they’re just trying to be efficient. So are threat actors. They’re looking for the easiest in. Make your company a harder target to hit. Educate your workforce on the threats and the simple steps they can take, or in Uber’s case not take, to help keep things secure.
Make security an ongoing conversation. It shouldn’t be a one-way communication. Cybersecurity training shouldn’t be one-way communication. Make it an ongoing conversation with your workforce. Engaging your employees on any topic will lend itself to more buy-in. Security is no different.