Gartner helps businesses better educate their employees about improving behaviours to keep scammers out of business networks and operations. Their research sheds light on the true cost of scams to business and end customers (with the subsequent increase in prices for goods, services and premiums):
- 10% of recent data breaches involved ransomware and the average payment, to get their data back, made by companies in January – March 2021 was £160,000.
- The average cost of a data breach to companies in the US rose to $8.64 million in 2020.
During the pandemic there has been a rise in remote working, a break with the traditional use of office networks and company PCs and a rise in the ‘keyboard warriors’ working on their home laptop in the local Starbucks or even from a beach bar in Costa Rica. This loosening of corporate control has led to an inevitable rise in the number of risks faced by businesses; risks that their own unique data can be compromised, stolen, shared or used against them in a ransomeware attack. The risks start with basic hygiene, like how secure is the Wi-Fi network in that Costa Rican bar, but risks are growing in all directions as super sophisticated scammers design new and ingenious methods for getting behind company defences. However, even as the tech wizardry of the scammers is on the rise, it remains stubbornly trek that breaches caused by employees clicking a fake email or unwittingly revealing useful information on a call are still the most common and the easiest win for the criminal.
Gartner recommends companies that follow three key principles to turn the risk around and transform employees into advocates for anti-scamming behaviours that protect the companies, their customers and their financial security. As with consumers at home, employees need access to knowledge and education to ‘do the right thing’ so it is up to companies to:
1 – Set the Vision: Publish a list of signature behaviours
Get a cross-functional team together to agree on some achievable behaviours that everyone can recognise and adopts. Underneath a vision like ‘We are a security-conscious workforce’ can be easy-to-understand behaviours like:
- We use three word passphrases to construct passwords
- We always forward suspicious emails to internal security
- We always use the approved file transfer solution
2 – Define measurable behaviours and outcomes (to track progress beyond tick boxes)
Companies need to conduct regular internal spot checks on employees’ security behaviour. These insights reveal where to focus energies on prevention before the more costly need for ‘finding a cure’. In a world where we know there is a surge in scamming attempts, security leaders need to measure, report and share internal trends in:
- Month on month reports of phishing attempts forwarded to security team
- Results of “mystery shopper” phishing simulations. How many employees still click on risky links?
- Time spent reading security newsletters (and consideration for aligning training and certification to performance reviews and remuneration)
3 – Connect awareness and behaviours to measurable business value
If you measure the results of 1 and 2 you can link the changes in behaviour to what business leaders really care about: brand reputation, improvements in risk management metrics, fewer losses/downtime and reduce customer churn as a result of data losses and negative publicity. Put simply, businesses need their training and knowledge sharing efforts to deliver improved decision making by employees that result in fewer cybersecurity incidents.
You can read more about Gartner’s report here: