Cybersecurity and the Workforce: Strengthening Weak Links
Troy McCollum and Butch Bracknell
Cybersecurity Awareness Month, annually observed in October in the U.S., is an excellent time to reflect on cybersecurity practices, training, business risks, and strategies to manage this risk for companies. Annually, cyber incidents (intrusions, breaches, and similar security gaps) cost U.S. businesses disproportionately more than the costs associated with active cybersecurity risk management. For example, cybercrime is up 600% due to the COVID-19 pandemic, as more people work from home and are online more hours each day. Cybercrime estimates top $10.5 trillion – TRILLION – annually by 2025.
The average cost of a data breach to a U.S. business or organization is about $2.98 million, and phishing costs, on average, $14.8 million per successful attack. Some of these costs can be avoided and risks mitigated for businesses and organizations through investment in cyber defense capabilities and kit, smart employment policies, effective training integrating applicable ISO standards, and enforcement of cyber hygiene practices.
Cybersecurity hygiene and risk management primarily come down to the end user. Security is a journey, not a destination. The tools, patches, systems, and networks are helpful. Still, effective cybersecurity postures depend disproportionately on the conduct and cyber discipline of the end user, their training, personal and professional restraint, and instincts. Purchasing a full security stack of tools does not finish the job. It’s just the beginning.
Personal cyber hygiene practices are almost always the number one risk for organizations. Hollywood portrays complex hacking efforts that can penetrate networks without help – which is true – but most intrusions and hacks start with a virtual invitation by a network insider through phishing, spoofing, or similar techniques. One good analogy is that a thief can steal money by cracking a safe in a bank vault, or he can walk right into an open door at the bank where the cash drawers have been left unguarded, and the safe deposit boxes have the keys unattended.
Companies ranging from publicly traded multinational corporations to privately held C and S corporations, small business LLCs and partnerships, to nonprofits and public institutions have scaled cybersecurity interests. These different business and corporate organizations are not neatly binned, because cybersecurity is matrixed – multinational corporations often make grants to nonprofits; university research foundations frequently exchange data with companies, hospitals, and grant sponsors.
Cybersecurity risk is not wholly reliant on a company’s hygiene and employee practices but also on the cybersecurity posture of partners with which organizations do business. Moreover, for federal contracts, cybersecurity standards can be imposed on subcontractors via flowdown clauses. Organizations should also consider negotiating cybersecurity incident indemnification clauses into contracts and ensuring adequate insurance coverage. Considering partner cyber hygiene practices is an essential consideration in engaging in transactions, pricing, and regulatory/compliance planning.
This factor is markedly true in mergers and acquisitions. Organizations must actively assess and manage risk when deciding in whom to entrust the keys to the cybersecurity kingdom.
Security culture can also be generational. Generation Z are digital natives – that is, a person born and matured during the information age of digital technology from birth, rather than having had to learn it as adults – yet the National Cybersecurity Alliance has been found to “have higher cyber incident victimization rates” than older generations. Why? First, they’re more immersively connected – with tech familiarity comes more ubiquitous connectivity, and thus more opportunities for mischief or mistakes through “security fatigue.” Another reason is that cybersecurity is often taught in the workplace, but seldom is taught in schools. New high school and college graduates entering the workforce may present a particular vulnerability until effective organizational training and policy enforcement takes hold. Finally, younger people may be more open to the proposition that information is a public good, and therefore efforts to protect and segregate it are bad. This may be philosophically appealing, but commercially naïve in an era of foreign intelligence lurking, ransomware, denial of service attacks, and economic espionage. The Massachusetts Air National Guardsman who leaked a trove of Top Secret documents in 2022 until his arrest in April 2023 did so by posting them in Discord chat rooms to benefit his online gaming activities, not any nefarious activity related to espionage. According to the charging documents, he may have been simply too inexperienced to understand the consequences of his actions.
Finally, businesses, nonprofits, and public organizations must build cybersecurity training and compliance policies into employment handbooks and contracts. Organizations must be willing to enforce these policies through progressive discipline where warranted and consider more drastic measures where an employee or contractor’s conduct, willful or negligent, exposes the company or nonprofit to increased cybersecurity risk. In the right circumstances, an employee’s error can pose a catastrophic or even existential threat to a company.
Halloween ends Cybersecurity Awareness Month, and while this commentary has been a bit of a parade of horribles, it is not intended to be scary – only to inspire organizational leaders and managers to be wary. No cybersecurity risk management plan is foolproof, but organizations can manage risk through well-planned and resourced cybersecurity infrastructure, hiring, training, policy development, business processes, and enforcement of standards.
Butch Bracknell is a cybersecurity and business law attorney with the Norfolk law firm of Crenshaw, Ware and Martin PLC. Crenshaw Ware & Martin has been providing business counsel for Hampton Roads, Virginia, and Eastern North Carolina businesses for 100 years. www.cwm-law.com
 Claire Nuñez, How to Embed Gen Z in Your Organization’s Security Culture, Security Intelligence, December 15, 2022, available at https://securityintelligence.com/x-force/gen-z-cybersecurity-culture.