Tax season ‘24: I’m on a call with my accountant, and she says she will have to log into my local social security account to perform some essential operations. “Okay, I’ll give you my credentials so you can log in,” I said. “It’s ok; I still have it saved here from last time,” she replied.

The last time was about six months ago, and I haven’t changed my password since (my own mistake here).

My inquisitive, cybersecurity-oriented mind exploded!

You, dear reader, can imagine how gravely dangerous this is and how terrified I was to discover that someone in charge of keeping such critical information could be so negligent with their cybersecurity practices.

If this information were to fall into the wrong hands, the potential damage to my life and anyone else on that list would be enormous.

You might say, “Oh, but this is just a small accountant!”

Not so fast. Let’s review similar cases with well-known companies.

Three big companies that made it too easy for hackers

01 – Sony and Their password.txt Files

The giant Japanese multinational conglomerate has a talent for breaches, with multiple attacks targeting Sony Pictures and the Playstation Network.

In 2011, Sony Pictures and the PSN were hacked, and hackers leaked millions of users’ personally identifiable information. In 2014, Sony was hacked yet again.

Despite numerous breaches in their history, what sets these two incidents apart is that in both cases, hackers accessed this information via unprotected Excel and Word documents.

Thousands of data pieces, passwords, log-ins, financial information, and social media credentials for hundreds of major motion picture accounts were leaked in an easy-to-prevent mistake.

02 – How Verizon gave free access to six million people’s data

Imagine being C-level in a company with a presence in over 150 countries, 118 thousand employees, and around 115 million customers worldwide. Then imagine having to come forward to explain that “John,” from customer service, allowed public access to your cloud drive, exposing phone numbers, addresses, PINs, emails, and more information from 6 million customers.

Verizon experienced this in 2017 when a third-party vendor failed to configure its Amazon S3 storage unit properly.

The worst part is that these Amazon servers are secured by default, meaning someone accidentally changed a security setting, exposing all the data.

Luckily for Verizon, the issue was caught by a researcher at UpGuard before it could be leaked.

Discovery and Public Disclosure

Chris Vickery, a security researcher from the cybersecurity firm UpGuard, discovered the breach and notified Verizon of the exposure. The company promptly secured the data and launched an investigation, claiming no evidence of data theft or misuse was found.

The reputational damage was done, nevertheless.

03 – Facebook exposed up to 600 million passwords

In 2019, Facebook was once more in the limelight for exposing up to 600 million user passwords.

During a routine security review, Facebook discovered that user passwords were stored in a readable format internally instead of being adequately masked.

Although Facebook promptly fixed the issue, in some cases, these passwords had been searchable since 2012 and easily accessible by over 20,000 employees. In total, this meant 200 to 600 million passwords were compromised.

What do my accountant, Sony, Verizon, and Facebook have in common?

The answer is clear: the human factor. My accountant doesn’t have a CISO to educate her on cybersecurity, nor an entire IT team to configure her computer and implement the latest protection software and policies. 

The big companies I mentioned had massive teams of highly skilled professionals ready. However, at the end of the day, these companies, like yours, are comprised of regular human beings like my accountant. These employees are susceptible to mistakes; most are not tech-savvy, yet they are the first line of defense for multi-billion dollar companies.

These employees most likely participated in the mandatory cybersecurity training, where they learned little and forgot everything within a couple of weeks.  

How do I keep cybersecurity awareness at the top of mind in my organization?

It’s not a matter of whether an attack happens. It’s a matter of WHEN. Because IT WILL HAPPEN.

When scammers surround your digital fortress, lurking around every corner and testing your defenses multiple times a day, your team will need to be vigilant and well-prepared to respond.

Yes, you trained them twice last year and gave them all the necessary information. So why are they still susceptible to making careless mistakes?

Some of the main differences between your regular annual cybersecurity training and year-round cybersecurity awareness include:

• Consistency: Consistent messaging is key. Long intervals between awareness sessions favor the forgetting curve, which is how quickly employees forget newly learned information. Employees should engage with current cybersecurity themes and events at least once a month.

• Snackable Content: Delivering bite-sized information over a more extended period is much more effective than dropping a ton of content in a couple of sessions over the year. Your staff already has a lot on their minds: day-to-day work, chores, family, finances, and career. Consistently sharing just enough cybersecurity information makes it easier for people to digest it.

• Relatability: As leaders committed to our organizations, sometimes we’re so preoccupied with protecting our company that we overlook that many employees are not nearly as concerned about the company’s servers as we are. The good news is the principles of corporate cybersecurity are also applicable to personal security, and vice versa. Therefore, by teaching employees how to safeguard themselves and their families, they are more likely to remain vigilant about security at work.

“Consistently delivering bite-sized, relatable cybersecurity content, applicable in your employees’ personal and professional lives.”

That is the answer!

How can Aware Force make me a hero and promote massive employee engagement in cybersecurity?

We have the perfect solution if you’re committed to taking cybersecurity to a new level in your organization.

Our offer is simple:

• Massive employee readership makes you the hero
• Real-time metrics dashboard, generating amazing ROI
• Insanely easy to implement and cost-effective
• All branded for your organization

Our team is standing by to show you some of the innovative ways organizations use Aware Force to engage their employees. (And the employees let them know how much it’s appreciated!)

Get in touch with us here at https://awareforce.com/contact-us/ :

_{Sources: Forbes, UpGuard, Arstechnica, Buzzfeed, Krebs on security}