***Authors note: I am a cyber nerd and not an author. Yes, you will find grammatical mistakes in the following piece and no, I do not care about it. I write just like I talk, at least that is what a middle school teacher told me once. What I care is that you get the underlying message! ***
Most of the articles that we post at Longevity Technology are sourced and reposted from many of the major security news sites and blogs out there on the big www. Being honest and humble (read: true nerds), we always provide source links to the material that we repost to not only give credit where credit is due for the original words and/or opinions but also to help drive traffic to our sources which can be quantified in Google analytics where we can see the clicks that we are driving their way.
I elaborate on this because, while we are always busy at Longevity Technology being a managed service provider and a true managed security services provider under one roof, I occasionally feel compelled to write something original based on the news of the world or interactions that I’ve had with my fellow nerds. This post is in the same category and was motivated by an article that I reposted yesterday from Bleeping Computer about the ransomware infection at COSCO, a major and worldwide shipping Corporation.
I reposted this article late in the afternoon/early evening and as it was extremely fresh off the presses, and credit to Bleeping Computer for how quickly they hit the street with the information, I was still thrown by how quickly the clicks started adding up. The story went viral and our analytics show that we were part of that spread of information as we hit the social media scene en mass.
So where am I going with this? Last night in the late evening I received a call from a lawyer that had come across our reposted article on social media. Yes, my heart sank, with the initial thought that this must be either a lawyer from COSCO or Bleeping Computer, who didn’t appreciate us being in the mix with a source article. Now granted by giving credit where credit is due we are not guilty of anything and again we drive significant traffic to our sources.
After taking a deep breath listening to this caller explain why he was calling so late at night and realizing that I had one of two situations, I relaxed a little bit and enjoyed the conversation. What I had on the phone was either a lawyer who was extremely concerned about the ramifications of a major corporation, such as COSCO, getting infected and how can he, as a small to medium-size business, protect himself when major corporations cannot or I was getting catfished/socially engineered by a fellow MSP trying to discover who we were and why our reposted article was blowing up the way it was.
After an hour and half conversation, in which this “lawyer” stated adamantly that he wanted his staff to be able to open any document without worry of any repercussions and that cybersecurity measures should be able to protect his environment regardless of what his staff does, electronically, and wanted to know what technology out there could provide that level of security and could be implemented for him.
The funny thing to me is that this was his response to the following statement that I made:
“there is no one technology in the security world that can 100% guarantee a truly safe environment. You can invest significantly in endpoint protection and then get hit by a zero-day attack. You can invest significantly in infrastructure protection and then get hit by a zero-day attack. You can invest in sandbox technology and then get hit by……. Wait for it……. A zero-day attack. A news article just came out today that showed an old piece of malware that when distributed with a recently discovered bug can actually recognize that it is being sandboxed and wait for its payload distribution until it is moved out of the sandbox upon execution. So where does that leave us, especially in the lower budget small to medium-size business sector, as the single best preventative tool in the cybersecurity arsenal?”
I paused here to allow my welcome caller to digest what I’d said and offer any thoughts that he had. Of course, this being a business owner who is not technical, he wasn’t offering any real thought other than the concept that he wanted total security in a single package that allowed his staff to do anything that they wanted without repercussion or threat. So, I continued:
“The single most effective preventative measure in cyber security, that is shown in study after study to have the greatest effect on protecting a network of any type, whether that be home or business, is user awareness training.”
Now of course, being the nerd that I am and having such a hard time understanding the end user’s perception of cybersecurity, or more correctly stated, the resistance by end-users, I was still amazed at his response of “I don’t have time for my staff to take awareness training. They are lawyers and not IT people.”
I’ve heard that statement many times when discussing the concept of user awareness training, so you think I would not be allowing my jaw to hit the floor like I do every time I hear someone say this, but the reality is that we need to put this concept into perspective.
I would like for you to take a guess at this math problem. If a lawyer’s billable rate is approximately $300 per hour and the simple awareness training of how to recognize a phishing/malware email from a legitimate email can be done in approximately 30 minutes, which of the following two options will cost a business more:
- the lost billable time of training 20 lawyers simultaneously for, let’s be conservative, one hour on differentiating between a malicious email and a legitimate email?
- Or having your server environment and those 20 lawyers’ laptops encrypted by ransomware?
Hurry up, the final Jeopardy theme music is playing in the background.
I could sit here and list study after study and research after research on the cost of recovery and downtime following a cybersecurity incident, but the answer to this question should be so blatantly obvious that I’m not going to waste my billable hour and dig up the links.
Business owners and leaders must begin to recognize the value of user awareness training and that in the end that there is no cost comparison between training and an infection outbreak. I sometimes compare it to sexual harassment training. Back in the day, organizations would simply pay off or let their insurance pay off any sexual harassment lawsuit that came their way but over time the cost and value of awards grew to such a point that it forced the hands of business executives and owners to require sexual harassment training so that they could say that they were at least making an attempt to prevent it. Today, I cannot think of any organization that I have worked for in my career or entered as a service provider that did not have some form of required human resources-based training on sensitive topics of this nature.
Now before I get jumped verbally or my email box blows up, I am not comparing the emotional and damaging impact of sexual harassment upon an individual to the financial implications of a cybersecurity incident. What I am comparing is that when an organization has an issue that they recognize as being preventable through education, the financial impact of that education is always significantly less than the impact/damage done by the lack of user education.
For all that read this article, and yes, yes, I know I am long-winded, I want you to stop what you’re doing and put on your critical thinking cap. If you are a business owner, executive or in some leadership position within your organization. I want you to think about the concept of user awareness training versus the financial damage and reputation damage that would be caused by your organization’s name being plastered across all of the security blogs and social media outlets that exist.
Is there any real comparison in the billable hour of your staff versus what can happen from a user opening an attachment in an email, because they didn’t know how to tell if that email had the potential of being malicious based on the content? I think the answer is obvious, the real question is why aren’t businesses rushing to provide this education?
As a managed security services provider, we at longevity technology provide both the before and after technical response to security issues and incidents and I can tell you without a single doubt in my mind that, because we provide partner and web based user awareness training, that an ounce of prevention is worth so much more to your organization than what it will cost for me to come in and fix your incident that was preventable.
Just think about it, you’ll get it!