Cyber security isn’t getting any easier.
According to PurpleSec, cyber-incidents rose 600% during the pandemic and presented new issues. With the variety and frequency of cyber threats continuing to rise, staying ahead of attackers is a constant battle. But cyber security expert Paul Tracey is making the world a safer place by building an army of “cyber security champions.”
The founder and CEO of Innovative Technologies, Paul Tracey has been on a mission for over a decade to educate small and medium-sized business owners whose livelihoods are at risk by what they don’t know about IT and cyber security threats. The Amazon best-selling author of Delete The Hackers Playbook and co-author of the Amazon best-selling Cyber Storm, Tracey says cyber-attacks have become such a huge problem that it’s no longer something you can just hand off to your IT team to fix.
“There’s ransomware every 40 seconds in the United States,” Tracey says. “And it’s not just hackers anymore. Anybody can go on the dark web and, for 200 bucks, they can buy ransomware and just start sending it out through e-mail. To fight this, we must all be in it together. We all depend on each other to keep the economy going at a small-business level. We cannot afford for our partners and our teammates to be down or put out of business from ransomware or some other cyber-incident.”
While everyone is worried about cybercriminals getting in and attacking their organization, Tracey cautions that organizations are missing a big component.
Regularly he sees his clients’ vendors or customers unknowingly causing security problems. “We need to change the way people think about this,” he says. “You don’t want to be the one who’s responsible for an attack because you didn’t have a cyber security culture and policies in place.” Tracey sees his role as fighting for the security of the organization. He developed a cyber security program that guides companies in building a cyber security culture with a trickle-down effect that spawns cyber security champions inside the organization. Once developed, cyber security champions from within are taking the knowledge they’ve received and spreading it to their communities.
“We’ve found that once someone in the C-suite executive level gets their organization under control and creates a cyber security culture, they start looking out for their vendors,” Tracey says. “Vendors that send an e-mail they shouldn’t have sent with sensitive data that wasn’t encrypted get a reaction. Our security stops these. Early on, the initial response is ‘I need my e-mail. Why are you stopping it?’ But once our clients make that culture change, their response is ‘You’ve got to be kidding me. Why are we dealing with this vendor if they can’t follow a cyber security policy on e-mail?’ It’s a complete mindset change.”
Employees are championing the cyber security culture outside of business too. “Once you get cyber security training, employees know what a phishing e-mail looks like and find them in their spam folder at home,” Tracey says. “They notice if their antivirus on their home computer is up-to-date because now they understand what’s really going on.”
Culture Must Start From The Top
To successfully create a cyber security culture, there must be buy-in at the upper level.
“The C-suite executive must be that cyber security champion first,” Tracey says. “From there, we build the other cyber security champions inside the organization to help them strengthen their security. We cannot change your culture for you. We’ll give you the tools. We can even help guide you with the procedures and strategies to do that. But you need champions inside your organization. Your ‘A’ players will adopt this culture right away, so you’ll have help. But if your goal isn’t to turn the staff into champions, the cyber security culture will never take hold.”
Education At The Core
Every cyber security program Tracey offers includes training and education, beginning with the dangers that lurk in e-mails and on social media sites. At a minimum, clients receive annual training and weekly updates. All metrics are tracked to help identify issues. “All staff members receive a weekly cyber security training that’s about four minutes,” Tracey explains. “It’s quick and easy to digest. We track who watches them and for how long. C-suite executives are given this data so they can see who is engaged and who isn’t and needs a little push in that direction.”
Tracey’s firm also does fake phishing tests on employees, monitoring who opens them, clicks on the links, and gives up information. If employees fall for a phishing test, they are immediately prompted to do training.
“We help them understand the information they’re putting online that people can get and use against you,” Tracey explains. “Then we extend out looking at their processes. This creates major awareness, allowing you to advocate for a change in policy that, in turn, increases your security.”
Policies And Tracking Are Critical
Tracking and policies help managers properly address problems and promote honesty. Tracey provides upper management with data to show their greatest threats. “We show them risky behaviors and identify high-risk employees,” Tracey says. “That motivates them to have discussions with their management teams to distribute those messages further out.”
While management wants to trust employees, Tracey has found that employees tend to be less than forthcoming when there are cyber-incidents.
“Just this morning, we got a ticket that said, ‘I received a suspicious e-mail from Walmart. I didn’t open it and I deleted it,’” Tracey says. “This was our phishing test. When we looked at the record, the employee had opened the e-mail six times. This isn’t an isolated incident. This happens all the time. Opening the e-mail when it was a phishing test isn’t a big deal. But if it was real phishing and you gave up your login information, that honesty is important. Having the correct information about that incident instead of your IT department having to track down information and figure whether they did open it is critical because when you have an incident, time is of the essence.”
To promote honesty, Tracey works with clients on creating an acceptable use policy. “Usually, it’s an honest mistake. But if it’s a dangerous one, you don’t necessarily want to admit to that, especially if you think there will be repercussions,” Tracey says. “Putting out clear policies and making sure your staff understands them encourages employees to be honest if a mistake happens. Without policies, employees tend to feel attacked and go on the defensive. If they go on the defensive, you’re not going to get valuable information from them.”
Reward Desired Behavior
Rewards, including verbal recognition and fishbowl drawings for top participation, help build the cyber security culture by inspiring people to engage with the process. “When there is only punishment for doing the wrong thing, there is no motivation,” Tracey says. “With encouragement, most of the staff gets on board and realizes it’s what is best for the organization. Then employees start taking it to vendors outside of the organization too.”
Tracey’s approach, where everyone is part of the solution, is building a stronger defense against cybercrime. Clients who develop a cyber security culture manned by cyber security champions are not just sending non-compliant employees packing, they are warning vendors that they must develop a cyber security culture to continue doing business with them.
“We’re all in a community, regardless of your business size, type, or location,” Tracey says. “This isn’t just inside your house…you have vendors, customers, and client relationships. Everyone in that circle needs to be a champion for their own organization, and for the other businesses they use and support. Because if one of those gets hit, there’s an effect on everyone. It benefits you to not only create a cyber security culture but to share knowledge, policies, and procedures and have discussions with vendors and clients. The important thing is to just start. Set a goal and take realistic steps to create that cyber security culture now.”
For more information on Innovative Technologies, visit www.upstatetechsupport.com