Pratum Blog

Three employees working together on computer

It seems like we all would’ve learned this lesson from our own experience with mediocre teachers, coaches and bosses. But let’s review: Which statement from a leader would motivate your end users to make some changes?

“You’re the main reason we’re having this problem.”

“Our team really needs your help. You’re the perfect person to solve this problem.”

Easy choice, right? Not so much in the IT world. Despite everything we know about human motivation, we still constantly hear IT and security leaders trying to coax end users into taking security more seriously. Everywhere you turn, someone is calling an organization’s end users “the weakest link” in the cybersecurity plan. It’s especially common in marketing materials and social media posts from security awareness and training providers.

We’re not saying it’s untrue to say that end users are involved in most attacks. But we are saying it’s counterproductive to approach them as a liability rather than asset.

Research shows that about 80% of successful data breaches involve some form of social engineering. But how many of your employees will eagerly embrace a defense-in-depth security culture if you approach them as the problem instead of part of the solution?

Rather than viewing your end users as a weakness to offset, enlist them as frontline defenders. Call them an extension of the security team. Pump them up as a critical piece of the overall data protection effort. Show them that they can personally make your organization safer.

Changing your mindset—and building it into all your communication with end users—provides a solid cornerstone for building a successful awareness and training program that your user base will embrace.

Employee Security Training Planner

8 Steps to a More Secure Organization

Get it Now

Plan Effective User Training

Recently (though not for the first time) we saw a social media post stating–with passion!–that training end users to spot phishing e-mails is a waste of time and resources. Wrong answer. Training and simulated phishing campaigns work—if they’re well-planned, well-executed and given time to work.

Here are a few ways to create training and testing programs that get buy-in from your team:

  • Measure progress. Make a detailed plan for measuring your end users’ baseline knowledge and for measuring their progress after training. The baseline information will help you plan training with the proper relevance, timing, sophistication, etc. How can you deliver appropriate training and testing if you don’t know what most of your users already know? We’ve created sophisticated phishing tests with e-mail messages that fool all but the most attentive IT professionals. Anything less would’ve been too easy to truly test the targeted users. But such a difficult test would’ve completely missed the goal if it was aimed at workers who rarely use e-mail.
  • Set realistic expectations. Aiming for a zero “click rate” on the simulated phishing messages is unrealistic. Phishing training aims to dramatically lower click rates, not achieve a perfect score. While you may get a zero click rate on an individual phishing campaign, it is highly unlikely over multiple campaigns. The takeaway: Publicly congratulate your users for improving their phishing awareness during your next campaign. Don’t chastise users for failing to get a perfect score.
  • Include EVERY user. If you excuse senior leaders from a phishing training program, your end users will know it. And they’ll naturally think, “If the people at the top don’t care, why should I care?” Then the stats from your company’s phishing training and overall awareness/training program will show this attitude. You’ll see more people clicking on simulated phishing messages, and you’ll see people spending less time spent consuming awareness and training materials. Your security culture must start very publicly at the top.
  • That means you need to include IT and security teams, too. Even highly trained security and IT professionals fall for phishing e-mails. Include those users in your tests, even if that means customizing the test messages to reflect each user group’s sophistication level. This case study shows how one Pratum customer tested its IT team with some of the most convincing simulated phishing e-mails we’ve created yet.

So, let’s treat end users as frontline defenders, provide testing in a way that engages them, and view phishing training as a control with some of the best ROI in the security business. Ultimately, these will improve your organization’s overall awareness and training results and help with your “security bench strength.”

For help in planning a training program customized for your users’ needs, contact Pratum today.

TAI Roadshow

While announcing the topics at the first session of the 2021 Iowa Technology Roadshow, the host read “cybersecurity” and then looked around the room. “Everyone just got out their pen and paper,” she noted. Pratum gets that a lot these days. Every on-task business leader is looking for answers to the run of ransomware attacks pressing down on the summer of 2021 like a heat wave.

To help leaders navigate of-the-moment changes in the tech landscape, the Technology Association of Iowa hosted five days of presentations across the state in late June. Pratum Founder and CEO Dave Nelson joined each day’s discussion with other tech leaders to talk solutions for business interruptions, securing employee data access and dealing with the hackers knocking on your system’s door every day. Here are top takeaways from the roadshow’s kickoff panel.

Your data may be safe—but is it available?

On the first morning, Dave drew attention to two frequently neglected elements in the classic cybersecurity pillars of confidentiality, integrity and availability. Most cybersecurity conversations fixate on confidentiality. But overlooking integrity and availability could leave you in a tough spot when a breach occurs.

Data integrity ensures that information you access tomorrow is exactly the same as it was when you accessed it yesterday. Dave used the example of a nurse administering medication. “You have to guarantee that the data about how that medication was administered in the past is completely accurate so that you can make sure the dose you’re about to give is accurate.”

Recent ransomware headlines illustrate the critical role of data availability. “I can guarantee that your data remains confidential if I put your server in a hole in the ground and pour concrete over it,” Dave said. “No one’s going to get to that information—including you.” Safe, but not realistic. In the Colonial Pipeline ransomware attack, a lack of data availability meant Colonial shutdown for several days, cutting off much of the East Coast’s gasoline supply.

Take a harder look at your backup

But your data backups will save the day, right? Maybe eventually, Dave warned the roadshow audience. But are you positive that you can quickly restore everything you need from backup? And what is “quickly” in the case of your business? What if it takes a week or two weeks to restore your critical systems? “Now you’re scrambling to run your business,” Dave says. “How will you do payroll? Will you back up a Brinks truck and pay everyone in cash? How do you pay vendors? How do you track inventory and raw materials?”

To be truly confident in your backup strategy, you’ll need a written incident response plan and enough test runs to confirm that you can restore your systems in an acceptable timeframe.

How fast is fast enough for restoring data? “You can’t answer that without looking at what’s going to happen to your business,” Dave said. “Cybersecurity is not just a technology problem. It’s a business problem. If you take one thing from today, look at security from a risk-based perspective. Don’t just throw technology at it.”

Limit access, even for people you trust

Sticking with the theme of supporting good technology with good policies, Dave told the audience that much of your risk may be a relatively simple matter of giving too much access to too many people. Reduce everyone’s access to only what they absolutely need to do their jobs, and you’ve just limited what’s exposed to a dishonest employee or a hacker who gets the credentials of an honest one. “All of a sudden, you solved a big part of your problem without spending any money,” Dave said.

This scenario applies even to the titans of classified information. Consider the case of the National Security Agency, which controls data at a level most of us can’t dream of. And yet one person—Edward Snowden—invalidated a giant swath of the agency’s expenditures on securing data.

Assume you’re under attack

Panelist Laura Smith, CIO of UnityPoint Health, urged the audience to understand that their organization is under siege by hackers. “Even if you think you aren’t being attacked, you are,” she said. “So assume you’re being attacked and figure out how to mitigate it.”

Laura noted that her healthcare organization sees literally millions of threats a day across its large system. The massive volume of threats stopped by firewalls and by e-mail filtering reveals the scope of the threats. Hackers use automated tools to constantly scan the Internet looking for vulnerable systems. When they find an opening, they may attack with ransomware without even knowing what kind of data they’ve locked up. Don’t think you’re safe just because you don’t consider your information valuable enough to attract a hacker’s interest.

Rate your priorities

Laura acknowledged that securing all of your data at the same level isn’t realistic or even necessary. Her organization looks at every business process on a spectrum of acceptable risk. “On one end, we say we’re taking no risk when it comes to delivering patient care, so we invest a lot there. There are other things where it’s a less critical business process, so we don’t invest as much there.” Her team analyzes every process to assign the proper mitigation within a variable risk range.

How to sell security to executives

Laura also touched on how to win support for cybersecurity investments from executives who must constantly choose among competing budget requests. For starters, make sure you’re relying on a widely accepted framework such as NIST 800-53 to show that you’re seeking to follow best practices from trusted third-party organizations.

Investing in a third-party information security risk assessment provides a detailed list of your vulnerabilities and the risk associated with each one.

You can also support your case by gathering benchmarks on typical cybersecurity investments for your sector to offer proof that you aren’t keeping up. Organizations such as Gartner and IDC provide annual reports that help guide and support your security budget requests.

For help interpreting all of these industry trends and applying them to your organization’s situation, contact us today.

How You Can Stop Ransomware Poster

Ransomware Poster

Stopping ransomware starts at the front line of every employee’s computer. This poster will help you and your employees keep your organization safe.

Get Poster
Cybersecurity for Your Business

Cybersecurity conversations filled the halls when 400 Iowa business leaders came together for the first time in two years in early June. New breaches dominated the headlines as the Association for Business and Industry’s Taking Care of Business conference convened. In fact, throughout the gathering, Iowa’s largest community college was shut down while trying to recover from a ransomware attack.

All the breaking breach news put cybersecurity at the front of many minds. It was hard to find a conference attendee who still thought their business is too small or their data too boring to draw a hacker’s interest.

To help leaders across industry sectors understand how to ramp up their organizations’ security posture, Pratum Founder and CEO Dave Nelson joined a panel discussion on best practices for business cybersecurity. Here are key tips highlighted during the discussion.

  • Protect the data, not the device – The world’s rapid jump to remote work in 2020 accelerated the move toward security that is data-centric rather than device-centric. In short, the old approach focused on locking down access to servers, devices and networks that were all under a company’s physical control. But as thousands of employees instantly switched to working on personal devices and networks, organizations realized that data needs to carry protection wherever it travels.
    “You no longer control the devices or networks. And that’s scary for data managers and business leaders,” Dave Nelson said. “Many of the risks that leaders were willing to take were based on a security model that was basically invalidated overnight.”
    Read this Pratum blog to learn more about the shift to data-centric and zero-trust architecture.
  • Call your attorney first during a breach – If you realize hackers have gotten into your system, your first call should almost always be to your attorney. Brian McCormac, an attorney at Pratum partner BrownWinick, pointed out during the panel that activating attorney-client privilege early serves your best interests. “Once a client engages us,” Brian said, “we can engage the cybersecurity service under attorney-client privilege.” That allows frank conversations with the cybersecurity company without putting things into the legal record.
    You should also contact your attorney before your insurance carrier to increase the chances that you can work with an attorney you know. “An insurance company will probably assign you a law firm in another city,” Brian said. “They don’t know who you are. And counsel that is only working with you one time probably won’t take your call at midnight if you’re in the middle of a breach.”
  • Call in cyberinsurance at the right time – The panel offered several other best practices for working with cyberinsurance carriers. Dave noted that talking to your insurance carrier first may be “giving them notice of an issue that they wouldn’t even need to know about otherwise.” Work with your attorney and cybersecurity consultant to fully assess the situation before getting insurance involved.
  • Build your response team in advance – Successful breach recoveries typically come from building solid relationships with an attorney and cyberinsurance consultant before the problem starts. Your incident response team helps you establish policies that will probably prevent breaches in the first place and helps you handle breaches more efficiently. Plus, if your team knows your business in advance, they’ll be able to provide more accurate and timely advice when you’re facing a critical incident.
  • Identifying your partners in advance also gives you time to ask your insurance carrier to put them on the approved vendors list. If you don’t do this ahead of time, you’ll be stuck using your insurance company’s providers, even if they cost more than your preferred local provider and don’t know your business.
  • Train your employees – BrownWinick attorney Drew Larson said, “Your weak vector isn’t always a hacker. It’s often an employee.” Brian echoed the point by noting that most breaches start with an employee clicking on a malicious link in a phishing e-mail. “It causes great harm,” Brian said, “but it’s not the person in a basement in the Ukraine hacking away at your firewall.”
    The solution is to train your entire team in how their actions affect the organization’s security—and then train them again every few months. Our Employee Security Training Planner helps you lay out an ongoing plan to build cybersecurity into your culture.
  • Start developing
    your program today!

    Employee Security Training Planner

    8 Steps to a More Secure Organization

    Get it Now
  • Pay attention to mobile device management – Dave noted that every robust security policy should address best practices for mobile device management. Tools such as InTune, for example, let you separate personal and business use of the device by quarantining business data in a sandbox area on the phone. And even if a user doesn’t turn on encryption on their phone, you can have certain data encrypted.
  • Encrypt your data – Speaking of encryption, the panel recommended giving more attention to your policies for this critical area. Proper encryption not only keeps bad guys out of your sensitive data but also provides legal advantages. Brian noted that, “Encryption often provides a safe harbor under breach notification laws. In some cases, you can avoid those notices if you encrypt the data.”
  • One great tip – Closing out the panel, Dave and Brian offered these best practices when asked for one recommendation they’d make to any organization:

Dave Nelson: "Get an IT risk assessment. That keeps you from spending so much money on the wrong areas that you don’t have money left for the important ones. If you don’t start with a risk assessment, you’re just throwing darts—and you don’t even know if you’re facing the dartboard."

Brian McCormac: "Map your data. Invariably, you have info you don’t know you have. Businesses are very siloed. HR doesn’t know what marketing has, and legal doesn’t know what anybody has. One company was collecting racial info in Europe, which is a big no-no. Why? They didn’t know. They just said they always have. So pursue a plan for data minimization. Have only the data you need and make it available only to those who must have it."

For help in understanding how any of these areas affects your specific situation, contact Pratum today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.