Ask the Expert: How to Prevent Cybersecurity Breaches

In the “Ask the Expert” series, we interview GardaWorld’s leaders on key topics relating to the security industry. In this edition, we explore how the biggest cybersecurity threat is human negligence with Jean-François Leduc, Vice President and Chief Information Officer of GardaWorld.

At-a-glance: Key Takeaways from this blog

• What are the cybersecurity threats of today
• Why the greatest cybersecurity threat is human error and understanding it 
• How companies can protect themselves against cyber attacks 
• Cybersecurity education & awareness are the best ways to prevent breaches 

Cybersecurity is a vital issue for any business. The average cost of data breaches in the U.S. are $5.45M, and 25% of attacks target the financial sector, alone. As such, we must ask ourselves: “How can companies mitigate the risks of data breaches?” and Mr. Leduc shares his insights and tips on current trends, challenges, and best practices.

What does a cybersecurity attack look like today?

Jean-François Leduc: “Cyberattacks today are more sophisticated and diverse than ever. Hackers have realized that companies are better protected. They have all the tech in place to keep their data safe, but the real threat is human error. Over 80% of breaches are due to negligent behavior.”

Hacking has become a form of organized crime, and these organizations take advantage of human inattentiveness as the main vector for their attacks. It’s what we call social engineering, which is the manipulation of people into performing actions or divulging confidential information.

For example, the most common threats are phishing emails or text messages that look like they come from a trusted source, such as your bank, your employer, the government, or your colleague. These messages ask you to click on a link or provide personal information. By doing so, you may compromise your account, infect your device, or expose your data.

With AI, attacks have become more sophisticated. It’s easy to find all the information about a company, its executives, its services to sell a credible story to an unsuspecting target. For instance, hackers might call you, pretend to be your bank, and ask for a two-factor authentication code that was sent to your phone as a means to confirm your identity – when in reality, they were the ones who triggered the code while trying to gain access to your online banking portal.

What are the types of Cyberattacks?

• Phishing and Social Engineering: Attempts to trick employees or customers into sharing sensitive information such as login credentials or documents.
• Insider Threats: Employees or contractors who abuse their access to systems for malicious purposes or personal gain.
• Ransomware Attacks: The installation of malware that cripples an organization’s systems and data so that hackers can demand a ransom or to make a political statement.
• Advanced Persistent Threats (APTs): A targeted, long-term attack that involves infiltration, lateral movement, and data exfiltration.
• Denial of Service (DoS) Attacks: Making a machine or network inoperable by flooding it with traffic.

What are the vulnerabilities that companies should be aware of?

Jean-François Leduc: “Companies must be aware of their vulnerabilities, from both a technical and human standpoint.” 

Technical vulnerabilities are weaknesses in software, hardware, or one’s network that can be exploited. To find them, companies should perform regular vulnerability scans, and then they should apply patches or show mitigation plans to avoid future risk. For example, when you have an old technology in your stack that is no longer supported or updated, you should either replace it, disconnect it from the internet, or install a secondary tech to detect any potential threats. 

Human vulnerabilities really stem from a lack of awareness, knowledge, or skills that can make employees fall victim to social engineering. And there is only one solution for this: train, train, train! Organizations must foster a culture of cybersecurity awareness.

How can we counteract the risks associated with human error?

Jean-François Leduc: “The most important thing is to have your employees develop a cybersecurity reflex. Users should not react to stimuli on their phones, SMS, email, or any other communication channel without verifying the source and the content – it’s basic. When you receive an email that asks you to do something, like clicking on a link, opening an attachment, or providing information, you should always check the sender, the URL, the spelling, and the content. When in doubt, do not act recklessly. Do nothing. Better yet, if the email looks like it comes from someone you know, the best solution is to simply call them and ask if they really sent it.” 

This advice is especially important when the email claims to be from a bank, government, or any other institution. Instead of calling the number provided in the email, use the official number on their website or on your statements. Use two-factor authentication whenever possible. And, obviously, never give away your passwords, PINs, or codes to anyone. 

It seems so simple, but the best way to combat cyberthreats is to help these behaviors become second nature. In the 80s and 90s, we built so much awareness around drunk driving that today no one questions how wrong it is to drive under the influence. We need to get to the same place regarding our cyber hygiene.

What responsibility do organizations then have in changing our behaviors about data breaches?

Jean-François Leduc: “It’s their utmost responsibility to educate their employees and stakeholders on the importance of proper cyber hygiene. It’s the best defense. To begin with, they have a responsibility to protect their own data, as well as the data of their clients, partners, and suppliers. Data breaches have important consequences from a financial, operational, and reputational standpoint. By doing so, they will not only protect themselves, but also society at large.”

Did you know? Cybercrime Statistics!

• Cybercrime resulted in $27.6B in losses in the U.S. from 2018-2022.
• 25% of malware attacks target financial services companies.
• The average cost per data breach is 40% higher in finance.
• Data breaches in the financial sector have increased by 333% in five years.

How can GardaWorld help companies protect themselves from cybersecurity threats?

Jean-François Leduc: “GardaWorld is a global, security champion. Our expertise spans both physical and cyber security. When it comes to cybersecurity, our key role is to help companies assess, improve, and maintain their cybersecurity posture through assessments. For example, we can perform vulnerability scans and audits to identify and fix the gaps in your systems and networks.”

What is the role that physical security plays in preventing cybercrime?

Jean-François Leduc: “Physical and cyber security are linked at their core. Physical security measures are particularly important in preventing cybercrime, especially when it comes to social engineering. Protecting access to the perimeter of the premises where the systems and documents are found is key.” 

Criminal organizations can easily exploit physical vulnerabilities. They can have members that are working at cable companies, who can visit an office, and who exploit physical vulnerabilities, such as unattended devices. They can easily upload malware on an unwatched machine with a simple USB stick.

You have two responsibilities to avoid a data breach: protect your facilities and protect your systems. Yet, more importantly, it’s protecting the facilities where your systems are stored. That’s why the protection of data centers has become a core focus for financial institutions today. Here, physical security measures such as access control or visitor management, surveillance systems, and guard patrols are necessary to prevent cybercrime.

Speak to one of our experts today

Connect with Jean-François Leduc on LinkedIn