A state-of-the-art firewall protects your network. Your backup strategy is flawless. Your technical team is on the lookout for the slightest threat. And yet, your company has just been the victim of a cybercrime attack. Why? Probably due to human error. In fact, 90% of cybersecurity breaches are caused by people who are insufficiently aware of the danger.
"Everyone needs to be made aware of cybersecurity issues," says Dominique Derrier, Chief Information Security Officer (CISO) at NOVIPRO.
“In the vast majority of cases, the doorway for hackers is an inadvertent mistake: for example, opening an email and clicking on a link that promises a mega deal, when it should really be immediately obvious that it's a trap.”
Such hasty recklessness is a real blessing to cybercriminals.“Companies invest a lot of money in protecting their information assets,” explains Roger Ouellet, director of security at NOVIPRO. “But the target hackers can always aim for is people. You have to make sure your staff is properly equipped.”
And the problem is not limited to individuals unfamiliar with technology. Errors made during software development or operational accidents can also open the door to attacks that could have been prevented with a minimum of precautions. “In every domain, there is a lack of knowledge that causes problems,” says Dominique Derrier.
A growing plague
The number of attacks perpetrated by hackers is growing year on year. For companies targeted, the financial losses total billions of dollars. "If cybercrime were a country, its GDP would rank it comfortably within the G-20", says Dominique Derrier.
Unfortunately, the trend is unlikely to reverse as information flow is the basis of today’s economy. In some organizations, from day one new hires get access to 20% of all information held within the company, including confidential information.
The bottom line is that there are plenty of attractive targets for criminals if information is not well protected.
With the pandemic, companies have reviewed their methods of making their operations more secure, but only about 30% of them have offered training to their employees and established a work-from-home policy in 2021. This is a proportion similar to that of last year even though the threat continues to grow. (Source: Portrait of IT NOVIPRO/Léger 2022.)
Download the Portrait of IT 2022
A survey of 500 decision-makers from Canadian companies about their IT challenges
Cybersecurity and continuing education
Insurers have noticed that companies are exposed. “More and more insurers are requiring companies to adopt cybersecurity training and awareness programs,” notes Roger Ouellet. “Those that do not risk seeing their premiums increase rapidly or they may even get refused by the insurer.”
NOVIPRO offers companies programs that combine bespoke training and simulated attacks. For example, phishing emails can be sent to staff in order to test the vigilance of a client’s employees.
“In the field of financial services, for example, people expect to receive emails from banking institutions,” explains Roger Ouellet. “In this example we will send fake bank emails to try and trick the staff.”
The more the simulated attack resembles the routine operations of personnel and directly affects their tasks within the company, the more the targets will tend to let their guard down – and the greater the effect will be when they are told that they have been trapped.
Of course, as is always the case, best practices in terms of continuing education apply to cybersecurity. For example: use positive reinforcement, value success, and follow up regularly without repeating the exact same discourse. Dominique Derrier compares this regular monitoring to a booster vaccine. “Pirating techniques are evolving, so training courses need to reinvent themselves from year to year as well.”
A strategic issue
In December 2021, the Canadian government urged businesses to adopt cybersecurity best practices, including protection against ransomware. This is a good call, according to Dominique Derrier.
“Companies do not always recognize themselves as cyberattack targets. They think it's a problem that only affects the military sector or only exists in spy movies. However, if you possess an asset, then you are a potential victim!”