Chief Marketing Officer at ERP Maestro
Our Focus During National Cybersecurity Awareness Month
This is a common scheme: an employee receives an email that appears to be from the company CEO, in which the CEO requests the employee to make a transfer of funds or data. A less aware employee not versed in phishing scams may take the bait, follow orders and comply with the request. Email-spoofing scams like these, as well as other cyberattacks, are on the rise, and educating and protecting employees from their dangers are paramount in cybersecurity training.
This October marks the 17th National Cybersecurity Awareness Month (NCSAM), a campaign launched by the National Cybersecurity Alliance & the U.S. Department of Homeland Security in October 2004. This year’s theme is “Do your Part. #BeCyberSmart.” The theme aims to encourage individuals and organizations to “own their role in protecting their part in cyberspace,” stressing accountability and the importance of taking proactive steps to boost their cybersecurity.
According to the AXA’s recent Future Risks Report 2020, cybersecurity is in the top three emerging risks this year, just under climate change and pandemics and infectious diseases, with 51% of experts surveyed also considering cyber risks as a major trend due to the sharp increase in cyberattacks during COVID-19. According to the report, phishing emails rose 600% over the course of the lockdowns as cybercriminals targeted remote employees using their personal devices for work.
While employees need to own their part in keeping companies safe from cyber threats, often employees don’t see attacks coming and are pulled into hacker schemes. Personal accountability and employee education are necessary but not enough. And when it comes to accountability, employees can easily shirk personal responsibility or feel non at all when they rationalize their own participation in cybercrime, particularly when it comes to internal attacks.
External fraud ploys are big business, costing companies millions of dollars. Likewise, internal cases of fraud have been trending upward with so many employees working from home, utilizing unsecured networks, not having traditional oversight and being and more vulnerable to engaging in fraud and data breaches in a time of economic uncertainty. While many organizations are still adjusting their procedures and adapting policies to this new way of work, we know for certain that leaving employees to their own devices amounts to placing trust in employees alone to act ethically and loyally. That is the opposite of adopting an advised zero-trust approach to risks, in which no one – from the CEO to the lowest paid employee – should have carte blanche access to business systems with oversight or proper controls in place.
At ERP Maestro, we continue to emphasize the role that internal attacks play in the entire security landscape and the need for system protection for the outside as well as the inside of organizations. Neither external nor internal security should be viewed as more important. Both are extremely damaging to a company. However, internal attacks may be easier to orchestrate and achieve with access already granted to insiders.
This year with the impact of COVID, we feel a stronger need to call attention to NCSAM and also encourage all companies to not only put proper systems in place to protect their SAP systems but to also conduct risk analyses to understand where they are most vulnerable. From an internal perspective, this requires understanding who has access to what and if there are any abuses or potential to cause harm. While this can be achieved with manual access reviews, it is not optimal or advisable to do so if businesses want accurate and timely snapshots of risks and remediation next steps. We advocate for using automated tools and cloud technology that can keep risks in check from wherever employees work.
This isn’t a time to cut back on security to save money. Instead, it is time to beef up security training, technology and best practices. Being #cybersmart and proactive about improving cybersecurity should be more than just looking ahead a month or two and preparing for the near future. It should also encompass future-proofing your internal security. Building resilience in an ever-pressing risk-prone era is key to ensuring that when the next crisis comes along, your organization will be prepared.
If you are interested in learning more about the steps organizations can take now to protect themselves and proactively enhance their cybersecurity beyond the current crisis, our recent webinar with KPMG experts discussing this very topic is now available on-demand here.