When I’m not writing about the dynamic world of cybersecurity, I enjoy my ordinary day job in the development department of an ordinary company. It was on one of these ordinary mornings I received three email alerts from our CEO:
- “We've experienced a phishing incident!”
- “You must change your password!”
- “We have initiated MFA!”
That was before my morning coffee—not an ordinary way to start my day.
It’s natural to think phishing attacks are simple to detect, with their poor grammar and suspicious links. The truth is, social engineering has become sophisticated, using automated tools to quickly gather large amounts of data. AI-powered bots can adapt to human behavior and simulate emails that mimic the tone and phrasing of vendors, clients, and even company executives, making employees easy targets for scams and fake-link emails. And don’t think scams only happen to sweet old bookkeepers who lack modern computer skills; it’s capable of tricking even savvy users. How effective are these attacks?
Last week, we discussed best practices to consider during implementation and common security policy patterns. If you missed that, I highly recommend you take a moment to review because today's discussion will heavily build off these ideas.
Today, we're going to take a look at the importance of accounting for scalability and compliance when designing your security architecture. Setting up secure and effective policies at one point doesn't do much good if they can't cope with changes and growth in your environment and can't be monitored and verified. With today's focus, you should be able to avoid those pitfalls in your environment.
As always, I'm happy to answer any questions or comments you may have, and the best way to reach me is through Linkedin
Even Experts get phised
Consider security expert Troy Hunt, a recognized leader in the cybersecurity industry and creator of have i been pwned (a great resource for checking if email addresses have been involved in a data breach). Despite being a seasoned cybersecurity professional, Hunt was fooled by a convincingly written phishing email that appeared to come from Mailchimp, his newsletter provider. The email claimed his account had been restricted due to a spam complaint and urged him to log in to resolve the issue.
Jet-lagged and tired, Hunt clicked the link, which was hosted by a look-alike domain (mailchimp-sso.com instead of the legitimate mailchimp.com.) He missed the subtle red flags—like the strange domain name and the fact his password manager didn’t auto-fill his credentials. After entering his login details, the well-crafted phishing email grabbed his credentials, logged into his real account, and exported his nearly sixteen-thousand-member mailing list. It’s a stark reminder that humans—no matter who they may be—are still the weakest link in most data care plans.
The Culture of mindsets and passwords
Fortunately, there are practical strategies you can implement that address the human element in cybersecurity and data care. They begin with understanding two categories: cultural obstacles and best practices.
Cultural Obstacles: Mindset and Awareness
Mindset: When leadership fails to prioritize cybersecurity, employees likely follow their example. Without a clear understanding of the reasons and benefits behind secure data practices, staff may neglect software updates and skip essential security reboots, creating unfortunate vulnerabilities and cyber risks. Meanwhile, with the advancements in AI, even novice criminals are quickly setting up shop—with greater abilities and more sophisticated threats. Building a strong security culture must begin at the top of an organization.
Awareness: But even with the right leadership, it’s still about what happens when employees are busy handling simultaneous tasks. Distracted individuals are more susceptible to social engineering tactics. And remember, this isn’t just a problem with less tech-savvy people. These attacks skillfully lure people into revealing sensitive information and allow attackers to exploit data.
Often, a rushed employee clicking harmful links is what provokes the problem—and it happens every day. Think about the last time you quickly answered an email between meetings or while running out the door. Cybercriminals count on these moments—when we’re least likely to spot a suspicious link or double-check a sender’s email address. The best and easiest tip is to simply slow down.
Give every unexpected email a second look, especially if it seems urgent. It’s the “quick-click” that gets most people into trouble. Make it a habit to hover over links and email addresses to verify a source before you click.
Best Practices: Passwords and Policy
Passwords: Using basic login credentials or reusing the same password across several accounts can give persistent hackers quick access to valuable data (I’m talking to you, Mr. & Mrs. Password123.) One practical fix is to implement multi-factor authentication (MFA) to add a second layer of protection to your login credentials. Another idea is to utilize a password management system that generates and stores complex passwords in an encrypted file. If you can remember all your passwords, they’re probably too simple.
Policy: Employees need to be well-equipped to identify and avoid cyber threats. The Cybersecurity and Infrastructure Security Agency (CISA) emphasizes that “a strong office policy is foundational for an organization’s resilience and operational continuity.” Simply said, companies need to welcome the benefits of continued training, simulated exercises, and procedures for reporting suspicious activity, all of which reduce the human error factor.
Building your cultuure of Cyber Vigilance
Let’s face it: there’s no silver bullet for cybersecurity, especially when people are involved. The good news is you don’t need a massive budget to make meaningful improvements. Company safety can begin with small, practical steps, like prioritizing cyber education.
Encourage your HR department to expand your knowledge base library with advanced cybersecurity content, like interactive training tools, short videos, and even online games that score employees on their security know-how. This creates a team environment that rewards high scores and creates a culture of data care.
It’s also vital for companies to check for policy and compliance gaps using an effective discussion-based activity, known as a tabletop exercise—a guided, in-office simulation led by a cybersecurity consultant. These low-stress workshops walk your team through realistic scenarios, helping them practice and strategize how to respond to a real cyber incident. It’s a safe way to spot weaknesses and prepare for future problems.
Focusing on your staff, policies, and everyday habits is the most effective defense when you blend knowledge with smart technology. Both the National Institute of Science and Technology (NIST) and CISA support using cyber action plans for your business. It lays the groundwork for building an effective cybersecurity culture.
The Human Firewall
If you haven’t figured it out by now, I place great value on data assets; they’re your company’s most prized possession. Customer information, financial records, personal employee details, and mailing lists all represent assets that must be safeguarded. Protecting these valuables is a top priority, and organizations often turn to technology for a resilient defense. Firewalls, advanced encryption, multi-factor authentication, and threat detection tools are all designed to block malware, detect threats, and keep out attackers.
Yet even the most sophisticated defenses have their limits. No software or hardware can guarantee complete safety if a single unsuspecting employee inadvertently leaks confidential information. The fact remains; technical solutions alone cannot address every risk.
This is where the human element comes into play. When employees are properly informed and mindful of their actions, they form what is often called a “human firewall.” By encouraging awareness, training, and a culture of shared responsibility, organizations can strengthen this important human factor and ensure that technology and people work together to protect what matters most. Here are five policies you can implement today to help improve your human firewall:
1. Provide regular security awareness training:
Don’t let training be a once-a-year checkbox. Make it a routine. Provide simulated phishing exercises to test employee vulnerability and simple step-by-step procedures for responding to a suspected cyber threat. Tools like this will build a strong staff environment against common malware that can often disguise itself as a harmless application or a PDF attachment.
2. Educate employees:
Make cybersecurity part of everyday conversation. Encourage employees to share unusual or suspicious emails with your IT department—no concern is too small.
The more your staff talk about threats, the more likely they are to report them. There are companies, like KnowBe4, that teach employees to spot phishing and other cyber threats with simple, practical online lessons to engage your employees and build understanding of and commitment to safe practices. Find the right program for your company.
3. Put more thought into passwords:
Don’t let “Password123” be your downfall. Make strong passwords mandatory. Encourage employees to use unique alphanumeric combinations for each account, avoiding words that contain common personal information like your pet’s name or your birthdate.
Better yet, sign up for a password management system, an effective software tool created to generate and store unique passwords for every online platform you use, so you only need to remember one master password. Reducing the burden of good password habits is an effective step you can take to lower the risk of a security breach.
4. Embrace Multi-Factor Authentication:
Another cost-effective tool you can incorporate is multi-factor authentication. Both CISA and NIST advocate for adopting MFA as an essential security measure—providing an extra layer of protection to the login process.
This added verification hinders unauthorized attempts to access an account by requiring a validation step—like a one-time passcode sent to your phone.
5. Establish guidelines for reporting unusual activity:
Effective policies and procedures encourage employees to be proactive in identifying and reporting possible threats. Create policy notices and post them in clear view. Update your [incident response plan] regularly and run periodic drills so everyone knows what to do. When people know their role, they can respond to threats quickly—and keep a small problem from becoming a big one.
Technology is your friend, but awareness is key
It goes without saying: running a business is a constant hustle. Between managing customers, operations, and marketing, you barely have time to breathe, let alone think about cybersecurity. Yet in today’s automated world, the need for proper data protection is greater than ever. Our post-Covid society is firmly planted in remote work, cloud-based storage, and constant mobile connectivity.
At the same time, thanks to the recent improvements in artificial intelligence, highly adaptable security solutions are available to help you level the playing field against those persistent cyber threats.
Fortunately, you don’t have to face these decisions alone or become a cybersecurity expert overnight. With a thoughtful approach and the right support, you can put practical, effective safeguards in place—protecting your data and empowering your team to be the first line of defense.
Call Atlantic Data Security to discover the best tools for your team and your company. ADS is a leader in providing specialized packages for small, medium, and large companies, as well as government agencies.
Michael Civisca is a freelance contributor for Atlantic Data Security. For over thirty years, ADS has established themselves as a pioneer in the cybersecurity industry with highly customized solutions for their clients.