After you are done reading this article, do not waste time. Do not pass go, do not collect $200. Immediately forward this article to the head of your legal department, or the person in your organization who is responsible for compliance.
Recently, the Department of Health and Human Services in the U.S. reported that bad or no security awareness training is a main cause for compliance failures. This is true for not only health care, but all kinds of organizations in industries like banking, finance, insurance, manufacturing, and surprisingly, high-tech. It does not stop with mere compliance failures causing regulatory fines. Trend Micro reported that 91% of successful data breaches started with a spear-phishing attack.
The problem is that to be “letter of the law” compliant, you only need to herd your users once a year into the break room, feed them coffee and donuts, and give them a PowerPoint Security Awareness Update presentation that, let’s be honest here, most of them will either sleep or play ‘Candy Crush’ through. Even so, you’ve done your job right? The courts may not see it that way, and ineffective security awareness training could turn out to be a serious legal liability.
Why? Cybercriminals go after the low-hanging fruit: your users. Why spend time exploiting complicated software vulnerabilities when you can easily social engineer an end-user to click on a link?
So your user goes through the coffee & donuts PowerPoint security awareness update presentation, which was inadequate even if they did pay attention. Now they go back to their workstation, and falls for the hacker trick. Their workstation is now infected with a keylogger, and the hacker now knows their login and password. With this in hand, the hacker penetrates your network. Simply put: if it’s the Eastern European cyber mafia, their focus is to transfer out money from your operating account over a weekend while nobody’s in the office. (See story below). If it’s the Chinese, they will steal your intellectual property. If it’s independent hackers, your customer database and credit card transactions are exfiltrated and sold on dark web criminal sites.
In all three cases you run the risk of a lawsuit:
1. You might sue the bank for negligence, and they might sue you back. Massive legal fees are inevitable. If it is found out the attackers came in by social engineering a user, your case is significantly weakened. Go to Brian Krebs’ site and search for “Patco Construction”, a nightmare scenario. Here it is: www.krebsonsecurity.com.
2. If the Chinese steal your intellectual property and you are exposed to a shareholder lawsuit, there will be a lengthy and costly discovery period. If it is found out the attackers came in by social engineering a user, your case is significantly weakened.
3. If hackers get into your network, and an investigative journalist like Brian Krebs discovers a website that has all your customer records and credit card transactions, you can expect a class action lawsuit soon. (This is the legal profession’s biggest growth industry). If it is found out the hackers came in by social engineering a user, your case is significantly weakened.
See the trend? Not training your staff to a level that effectively mitigates the risk you are exposed to, is a severe legal liability.
Within a whitepaper called “Legal Compliance Through Security Awareness Training” written by Michael R. Overly. In this paper, Michael describes the concepts of acting “Reasonably” or taking “Appropriate” or “Necessary” measures. Reading this whitepaper may help you to prevent violating compliance laws or regulations.
Do These Two Things:
ONE: Did you know that you are supposed to “scale security measures to reflect the threat”? In the whitepaper are some examples of the Massachusetts Data Security Law and HIPAA to explain what is required. I strongly recommend you download this whitepaper and get up-to-date about the legal repercussions of not providing effective security awareness training: http://info.knowbe4.com/whitepaper-overly-kb4-13-10-28.
TWO: Have you ever wondered how effective your current Security Awareness Training program really is, and if you are at risk in case of legal action? KnowBe4 offers a FREE test that gives you a real quantifyable number as to the percentage of your users that would click through and fail, a simple Phishing email. Do their FREE Phishing Security Test. You can do the test right away, and it only takes about 5 minutes: http://www.knowbe4.com/phishing-security-test.
If you are concerned about the security of your network, or think your network has been compromised,
call Technology by Design at 204-800-3166.