Company culture a key defense against cyberattacks, experts say

The chief financial officer of a client of InfoPathways, a technology company based in Westminster, recently exchanged emails with someone he thought he knew but later realized he didn’t.

According to InfoPathways President Theresa Bethune, her company was asked to look into the exchange. They discovered that the unknown person was able to spoof the CFO’s  email address and convince one of the company’s clients to send $125,000 to a bogus account – money that would have gone to the scammer if the bank, suspicious, hadn’t held up the payment.

That sort of scam is among the countless and ever-growing types of cyberattacks being launched against companies, according to Bethune. And while companies are taking a greater interest in cybersecurity than they used to, she said, it’s often not enough.

“One of the big things we see is, if companies don’t have a strong culture around cybersecurity from the top down – and I mean from the board of directors to your front-line employees – they are likely going to miss something or fail,” she warned. “It’s definitely about being vigilant. There’s only so much the technology can do to protect you from the invaders.”

RELATED: Companies that handle data explore cyber insurance as part of protection strategy

Bethune, like many cyber experts, is all in on a concept known as “psychological security.” As defined in a recent column in Forbes, psychological security is the idea that cybersecurity issues are largely caused by behavioral or cultural habits within a company.

“Employees are told not to make mistakes, or that mistakes will be extremely costly,” wrote columnist Shama Hyder, “but they are not given the tools they need to understand how to avoid mistakes.”

The concept is not new to Tasha Cornish, executive director of the Cybersecurity Association of Maryland, Inc.

“This is something we talk about a lot,” Cornish said. Her favorite way of explaining the concept to companies, she said, is this: Your people are your greatest risks, but they can also be your greatest assets when trained correctly and prepared – empowered with the right information.

“Whenever we have educational opportunities, we try to talk about it,” Cornish said.

Part of what is needed, Cornish said, is a shift in common practices. For example, she explained, employees are used to opening and responding to emails quickly. But scammers know that and also know that the culture of speed can lead to careless mistakes.

RELATED: Many companies unprepared to handle insider cyberattacks, survey finds

Better to pause and consider the possible threat, Cornish said, before responding and possibly opening the door to a cyberattack.

The necessity of having an effectively and frequently trained workforce appears to be sinking in, Cornish said. “I think business leaders are getting to the point where they really understand the potential costs to their business,” she said. “They understand that the employees’ behavior is really driving (the problem), and I think we’re seeing a shift.”

Others are not so sure.

Tim Schilbach, founder and CEO of Penacity, a cybersecurity company based in Hanover, argued that most companies are not doing a good job of adequately training employees.

“It takes a lot of investment,” said Schilbach, whose company works with both private companies and government agencies. “But a lot (of companies) are just looking to check the box – if they’re required to train once a year, that’s all they do.”

Schilbach, who has clients in 37 states, said his company was founded on the notion that people are many organization’s weakest link when it comes to cybersecurity. You can have as many high-tech bells and whistles as you want, but if employees are unwittingly helping the bad guys get in, it could all be for naught.

Rather than training just once or twice a year, Schilbach recommends security training that is far more frequent – monthly, for example. In addition, he said, the training should be fun – not a dry lecture or stale video.

“Try to engage people, make it fun,” he said. “Like, ‘Hey, can you spot what’s wrong here?’ ”

Just as important, Schilbach said, employees need to be tested on what they learned – and, for those who fail, retrained and tested again and again until they pass.

“You can spend millions or even billions a year on a lot of tech,” he said. “But if people are unwittingly helping the bad guys get in, it’s a problem.”