Worried about cybersecurity? Start with your own employees
Our commitment to customer security
Voya recognizes the importance of safeguarding our customers’ financial accounts and personal information against the ongoing risk of identity theft and cyber threats. Our work never stops when it comes to client security and we are constantly evolving our strategies to address and adapt to these threats.
Cybersecurity isn’t just about technology. Our defense in depth strategy includes investments in people, technology, and processes that work together to help keep your information safe.
Visit Voya.com to learn more. Read on for valuable tips on what you can do within your own organization.
Imagine you're the CEO of your company. As you walk into the office one morning, you pass someone on your accounting team. They inform you they wired the $200,000 "you" requested to an account in Europe. Confusion and frustration quickly boil. How? Why? What? You didn't request that. How did that happen? Then the next step: blame.
All too often, we see some sort of data security problem result from human error. Some studies find up to 90 percent of all data breaches are caused by human error or human behavior. Unfortunately, remediation or proactive efforts to avoid data breaches are often not focused in the right areas - user education.
Instead, blame gets shifted to IT preparedness through the network and infrastructure, and time, effort and money often goes into investing into IT infrastructure or paying any security company or security program claiming it can protect your company by subscribing you to some sort of software program.
While both areas may benefit from improvement or upgrades, network improvements do not resolve the issue that cause the majority of all data breaches - the users. Until we can patch and update people, this problem will not be resolved by merely upgrading infrastructure.
You can have the best network, hardware, programs, and even the best IT team, but none of that matters if someone clicks something they shouldn't or falls victim to a phishing, parody or hacked-account scam. The emphasis must turn to training and educating users about their role in data and network security. It is not only the hackers to fear or blame, it is your own team - your own employees. The people you pay to run your business are the very ones most likely to bring it down.
This doesn't mean all breaches are caused by the intentional or malicious acts of employees. While there is a segment of cyber breaches that are caused by disgruntled current or past employees, it very often is the action of a non-malicious user. I recently attended a cybersecurity event, where, in one session, the majority of the individuals in the room were IT directors. The topic of cyber training for users was discussed and I was stunned at how few IT directors were providing any cybersecurity trainings for their companies. This is unacceptable. Without a change, companies will continue to unnecessarily fall victim to cyberattacks.
Your IT team, whether internal or outsourced, should be providing this training. If they aren't, it's time to reconsider your arrangement. If they do offer this training, but you haven't taken them up on the opportunity, get it scheduled ASAP. Many companies simply do not realize the importance and priority cybersecurity education training must take in an organization. It is important to incorporate regular staffwide trainings as well as training of any new employees upon hire. At a minimum, cyber education training should cover three main areas:
Overview of Any Use Policies Existing in the Organization
Do you require multi-factor authentication? Are employees required to lock their machines when they step away? If an employee takes a machine home, are they allowed to leave it in their car if they stop at dinner on the way home? Who must have an encrypted device? If regulated under any additional laws, such as HIPAA, what does this mean for individuals job roles? Must any request for money to be sent out of the organization require a second in-person confirmation?
Do employees use password managers? Are employees reminded of the importance of not reusing passwords across multiple sites? Are all users logging into programs and machines with different usernames and passwords? Where are the passwords being stored? Are employees using strong, complex passwords? Are all users required to have their own login credentials (user-name and password) for any device or program?
Recent Hacking Trends
Do your employees know what the latest hacking attempts look like? Without knowing what the trends are - and being reminded regularly - it is much easier to fall victim to clicking a link in an email from "Amazon" regarding your order status that would immediately infect your computer, opening an email attachment that claims to be an invoice that could spread ransomware throughout your entire network, or entering their username and password into a site looking like - and claiming to be - the Microsoft 365 portal after receiving an email informing you your account has multiple unsent emails and providing the link to resolve the issue, all to get your actual username and password to log into the real portal providing the hacker access to all emails, sensitive data and confidential company information. A correct login username and password can negate all security measures.
In the end, you employ your biggest threats. Taking a proactive, education-based approach to inform your team regularly is key in minimizing your chances for a cyber breach. Educate, remind and re-educate often. You can't protect your company from everything, but user education can significantly reduce your chance of a data security breach. It is the simplest, most inexpensive step to help better protect your network, data and company.