Cybersecurity Awareness: It’s Everyone’s Business

Remote working, e-commerce, online forms, video appointments, …: All those new ways of using the computer and the increasing use of IT in general make us all more exposed to cyber-threats than before. This is the case both at home and at work, and increases at top speed. We estimate the number of ransomware multiplied by four over the past two years… Should we panic? Should we panic? Not necessarily, as more and more of us go look for information by ourselves…as we don’t get it from our employer, managers, or colleagues. This shows how important raising awareness on those matters is.

1. Cybersecurity: What Is It?

Hacking, phishing, ransomware, Trojan horse, …: We all heard those terms one day or another, during a chat with colleagues or in a family reunion. Some are even part of our day-to-day. However, how many of us would be able to give a definition of those? And who can say what the term cybersecurity covers? Also called computer security or information technology security, cybersecurity regards the protection of data and IT resources from hackers. To get some cybersecurity, people and enterprises equip themselves with firewalls, DNS filters (domain name system) and/or anti-malware solutions.

The definition to remember: Cybersecurity regards the protection of data and IT resources of people, organisations, and states from any cyberattack.

To reach their goal, hackers have many targets:

• Personal and professional computers
• Servers, wether they are isolated or interconnected, on- or offline
• Peripheral devices like printers, for example
• Communication devices like smartphones and tablets

More generally, cybercrime regards every illicit action harming a website’s integrity, or every illicit action with the use of IT. Either IT is used as a tool for a conventional infraction or crime (threat, fraud, …), or the computer is the target of the criminal (theft, data destruction, …). To diminish risks, entreprises and people are now used to install an antivirus software or to secure their emails. Although considered as must-haves, those are not enough against our carelessness or our tendency to get around security rules… Indeed, according to the Data Breach Investigations Report 2022 from American telecommunication entreprise Verizon, 82% of incidents involve a human factor. Surprising? Well, not really.

Think about how much we interact with devices targeted by hackers:

• By scrolling the internet or social networks;
• By clicking on a link inside a dubious email;
• By typing personal data on a website;
• By downloading a file or an application;
• By accepting cookies or a data privacy contract without reading those;
• Or by using our professional computer for personal uses.

“82 % of breaches involved the Human Factor.”

2. Where Do Attacks Come From?

When we notice how varied and extremely ‘’common’’ back doors are, we quickly understand why 90% of compromised equipment was a camera, a connected object, or a network device. The stakes? Get to be aware of consequences from our daily carelessness. Enterprises understood it well. In 2020, 95% of those had set up an awareness campaign within their organisation, according to the State of the Phish report, but only 30% of them were doing so on a regular basis and towards their entire population. Nevertheless, it’s only by raising awareness of cybercriminals’ modus operandi that collaborators will become more vigilant, and therefore less subject to fall into a trap. We say forewarned is forearmed, don’t we?

The main types of cyberattacks organisations must face include:

• The ‘’Man in the Middle’’ attack, consisting in the interception of exchanges between two persons through the installation of a malware on an IT system, in order to read, listen to, steal, or even forge communications;
• The denial of service attack, targeting a server overload to make an organisation’s network out of order;
• Phishing, a method through which the hacker tries stealing personal or confidential data like bank data or access codes by looking like a legit authentification system;
• Social engineering, which counts on human weaknesses to encourage workers to get around cybersecurity processes;
• The ransomware, which prevents the user to access their data until a ransom is paid;
• And – a classic – the password theft thanks to the use of softwares which try a maximum of combinations to find the right one, also called a Bruteforce attack.

In 2021, requests for help from private individuals on French platform cybermalveillance.gouv.fr were mostly related to phishing (31%), account hacking (19%) and fake technical support (13%). As for professionals, they were mainly preoccupied by ransomwares, whose 54% of attacks came from spam/phishing, according to Statista in 2020. Those numbers bring some concern as they are the same for large companies, collectivities, and administrations, but don’t spare small- and middle-sized enterprises either. In 2020, 28% of data leaks involved a small entreprise (Verizon)…

3. Minimise Human Risks

Those numbers should however not scare nor paralyse us. Quite the contrary, they should encourage us to act. How? First by assuming a good IT hygiene at work and at home. This includes basic tricks that everyone knows, but which is necessary to recall: Using robust passwords, keep them confidential and update them on a regular basis, not sharing personal information on social networks, be careful while opening emails, …Chasing bad habits of yours and those around you is already part of the solution.

First field of action? Taking care of your IT hygiene

Good habits not only protect us from cyber-threats, they’re also a huge part of collective security of entreprises and organisations. This is a further reason for them to add trainings and awareness campaigns to the existing technical and technological cyber-defense solutions. Those new actions shouldn’t limit themselves to irregular communication campaigns or boring powerpoint presentations. The goal is to bring knowledge and necessary skills to the teams, for them to be able to identify cyberattacks and protect themselves against those. Why shouldn’t we simply expose the teams to techniques used by hackers? For it to be efficient, the right educational methods should be used: Couple every action of a collaborator with answers hackers could use. Only when such system is put in place can organisations schedule phishing tests or any practical exercise to stimulate and evaluate knowledge assimilation on a regular basis. Those tests in real conditions must be spaced out for them to be efficient… and to maintain the entreprise’s performance.

The Top 5 reasons to raise awareness of your teams on cybercrime:

1.  Grow a culture of information security
2.  Turn your collaborators into actors of the solution
3. Strengthen trust from your clients and partners
4. Improve the entreprise’s image
5. Be different from competitors

Indeed, cybercrime may threaten the survival of organisations, but growing a culture of information security may turn into a true opportunity. Raising awareness on cybercrime will be a formidable lever of empowerment. Giving to collaborators the means and tools to protect themselves from cyber-threats will make them aware of their responsibilities and put them at the heart of the organisation’s defense. They’ll become actors of the solution and will no longer be the source of problems on a regular basis. Another asset of such a digital maturity? Strengthen trust from your clients and partners, while getting to be different from your competitors. Do you still need another proof that raising awareness on cybercrime mustn’t be considered as an obligation, but everyone’s business?

In summary: