For those who work in information security it’s hard to imagine not viewing the world through that lens. The fact of the matter, though, is that the vast majority of users don’t really give security a second thought. Unfortunately, that cavalier attitude could affect the company and possibly even cost those people their jobs.
Many workers are just there to do their jobs. They assume that IT and information security issues will be handled by someone else and that it’s outside of their scope of responsibility. Many people also assume that their role is too menial to be a viable target for attackers so they don’t need to be concerned. Both of these assumptions are false.
Users need to be made aware of the broader trickle-down effect that a cyber attack has on the company as a whole. The harsh reality is that an attack ripples through the company. Attacks that are somebody else’s fault and occur in an entirely separate part of the company can still result in cutbacks or layoffs that impact the whole company.
Falling Like Dominoes
Most attacks are attacks of convenience. The attackers don’t know or care what your individual role in the company is really. Attacks are often automated to find gullible users or seek out vulnerable machines, and any successful compromise is enough to get the attacker through the proverbial “front door” and into the network.
Once an attacker has a foothold in the network it is much easier to do reconnaissance and move laterally within the network to seek out and compromise other vulnerable PCs. A successful phishing attack against an intern working in the mailroom can eventually lead to a massive breach of employee and customer data or a loss of significant intellectual property.
No matter where it starts a successful attack has a domino effect that spreads throughout the company. First you have the direct impact of any money or data lost. Next is the cost of remediation. The company has to dedicate resources and possibly hire outside expertise to investigate the attack, determine the scope of damage, and do incident response to clean up the mess and restore the security of the network and PCs. Finally, there’s the tarnished reputation when the shareholders or customers learn about the attack resulting in lost sales and declining stock value.
Not only does that affect the company itself, but many employees have stock options or retirement investments that are directly affected when the value of the company declines. That can be a double negative for a user whose investment value plummets at the same time they lose their job as the company tries to recover from the attack.
Make it Personal
As long as users think security issues only happen to others, or that dealing with security is somebody else’s job they’ll continue to violate established security policies and ignore red flags that signal a potential cyber attack. In order to get users invested in the overall security posture of the company they need to understand what it means to them personally.
Share examples of companies that have been hacked or compromised. How did it affect the stock price? What was the impact on sales and revenue? Were salaries, bonuses, or benefits slashed? Were employees laid off as a result of the financial impact? Did the company go out of business?
If individual users understand the broader implications of an attack and how it could directly affect their income they are much more likely to take security seriously and help identify and block potential threats.