Combatting cybercrime is not a technology game; it’s a social, emotional and human game. That is what John Sileo of the Sileo Group told a group at a recent meeting I attended. On two separate occasions, Sileo was the victim of cybercrime.
He encouraged audience members to expand their vision of cybersecurity. Sileo says that as human beings we use stories to organize and prioritize what is important to us. A typical story involves a hero who has something at stake but is in a risky place where an adversary can attack and defeat him until a wise guide comes along with an action plan that leads to the hero to ultimately being victorious.
Typically, once a company is attacked, it hands over the solution to the IT department that thinks of an IT solution. “That is both myopic and dangerous,” Sileo said. “We need to change the attack response loop and look at what we need to do to protect our business from the inside. We need to determine what is most at stake and where the risks are.”
He suggests that businesses think about what are the worst possible things that could happen to the company and then bring together a team that guides the company through a process to build a strategic action plan. “You need to do this for each risk, one at a time,” he said.
You also need to empower your employees to become the first line of cyber defense because the number one way for someone to get into your system is by hacking an individual within the company. One way to protect your employees and your company is to teach them what Sileo calls “reflect and response.” Teach employees not to give out any information until they verify who they are speaking with. “Get them to build a pause into their response and to be skeptical of all calls,” he said. When you “build a momentum of skepticism, it makes fraud plummet.”
Sileo suggests practicing various scenarios with your employees so they understand and can implement the reflect and response model. For example, if an employee gets an email that says click on this link to see the company policy on working remotely, the employee should be skeptical and call HR to verify. Hackers are notorious for using current events in their hacking attempts. Also, if an employee is unsure about a link, tell them to hover over the link and the URL will be revealed. “Seeing is no longer believing,” he says. You now need to verify with a trusted source.
A few things you can do to protect yourself and your business is to ensure strong passwords. Four- and six-digit codes are hackable, Sileo said. He suggests using a custom alphanumeric code for passwords. You also should use aggressive spam filters, disable Office macros and compartmentalize date and segment users.
Old computers and outdated software make it easier for hackers to access your data so keep your systems updated. Sileo also suggests you use a 1, 2, 3 approach to backing up data. That is have three backups on two media types with on back up off-site.
“Anticipate your highest stakes first and create multi-function teams to develop action plans for the threats you face,” he said. “Then train your heroes (employees) to be the first line of defense. Defend what is most important first.”
He concluded his presentation saying, “The greatest security we have is our resilience and using hard stuff to push ourselves forward.”
