Canceling a school day can be a reason for students to celebrate, but that wasn't the case with Howard University on September 3, 2021. That's because the school was the victim of a cyber attack and had to suspend classes while it shut down its network to investigate the attack.

Howard University worked with the FBI and city officials to implement safety measures to protect the university's data. In the past, Howard University did require students to use two-factor authentication any time they logged in to access the university's servers. But after the attack, Howard University announced new password requirements1 with resets and more complexity.

Howard University's stricter password requirements demonstrate that it's essential to keep clients educated about the latest cyber threats and how to protect themselves. Awareness and learning are valuable tools for clients, so they can get ahead of any potential threats.

Organizations need to make training engaging and help employees feel that they are part of the solution.

Nick Carozza, RPS area vice president

Find the Right Balance

Educating clients about cyber threats can be a delicate dance between ensuring they understand and not insulting their intelligence. Approach it as a transparent discussion where everyone should feel comfortable asking questions and sharing comments.

Here are five tips for educating clients:

  • Define the tech terms used for cyber attacks and cyber threats in simple terms and with no jargon.
  • Overexplain points, and use examples and supporting statistics to illustrate them.
  • Distribute printed follow-up materials, such as FAQs or a glossary, which can be used as a reference in the future.
  • Provide continuous education to clients so that cyber threats always stay top of mind. Offer to host webinars about the latest threats.
  • Send emails with reminders to update devices with security patches or with cyber news relevant to their industry.

Start Education With Employees

Chances are that your client's organization is not getting much help in the way of cyber education. A survey found that 61% percent of employees2 who received cybersecurity training still failed a basic cybersecurity test. They also didn't understand the security risks of their behavior, with one-third of employees storing their passwords in their web browsers.

Adding to the problem is that your client's employees are most likely the source of their organization's cyber threats. According to Verizon's 2022 Data Breach Investigation Report,3 human error was involved in 82% of data breaches (down 3% from the previous year). Of 317 IT decision makers that Forrester surveyed in 2021,4 61% believed human error would cause their company's next data breach.

"While the technology jargon can be daunting, a good place for agents to begin their cyber education is by becoming familiar with application language around topics such as MFA and RDP." — RPS 2021 U.S. Cyber Market Outlook

To help solve this issue, instill the importance of spreading cyber threat education across your client's entire organization. Show relevancy by customizing the information you share to your client's industry, business size, number of office locations, or devices used. Get into the weeds about what clients need to do to address these issues:

  • Why they need effective cyber training for all employees in all levels of the organization
  • What prevention methods they should have in place
  • Why it's essential to have an appropriate response plan when a threat is detected
  • Why they need a cybersecurity policy that should be updated as new threats emerge
  • What cyber insurance coverage should include for the best protection

Keep in mind that there's currently a shortage of cyber security professionals. Cyber Seek reports that, as of September 2022, the U.S. workforce has 1,091,575 cybersecurity professionals and 714,548 open jobs.5 The gap globally is 3.5 million unfilled positions.6

The clients you speak with may not have teams available to implement some of your suggestions. Recommend ways that you could help them educate their teams in the absence of cyber security staff, such as making information available on their intranet.

Share Where Cyber Threats Are Today and How to Prevent Them

Cyber attacks against organizations fall into a few key areas. Stay up to date on these areas and share the latest news about potential vulnerabilities with your clients.

Phishing. The attacker sends a fraudulent message, usually via email, to trick the victim into revealing sensitive information or to click a link that deploys malicious software on the business's infrastructure.

Malware. Any software intentionally designed to cause damage to a computer, server, client, or computer network.

Ransomware. A type of malware that threatens to release a company's secure data or block access to it unless the company pays a ransom.

Distributed denial of service (DDoS) attacks. Multiple requests are sent to a company's website to overwhelm the website's capacity, preventing it from working correctly.

Man-in-the-middle attack (MITM). The attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.

These are some simple ways that your clients can protect their businesses from cyber threats. Educate clients about how to take these steps and the consequences if they do not.

  • Have an incident response plan (IRP) in place, identifying steps you'll take in the event of a cyber incident. Test the plan regularly and make sure everyone knows their role.
  • Require that everyone use strong passwords and change them regularly.
  • Instruct employees to not share login information.
  • Back up all data off site. Segregate these backups from your primary network. Test the backups regularly to ensure you can restore data from them.
  • Implement multi-factor authentication (MFA) for all remote access, for access to backups, and on premises for privileged users.
  • Apply security patches as soon as they're available.
  • Restrict use of personal devices, known as Bring Your Own Device (BYOD).
  • Limit access to highly secure data to only essential employees.
  • Set up firewalls across the company, including home offices.
  • Secure Wi-Fi networks.

The simple fact is that many clients, especially small to midsize businesses, are simply unprepared for the complexity and scope of cyber challenges they may face. It's up to you as their agent to help keep them abreast of these risks and show them how to best position their operations and their coverages to keep their business safe from cyber attacks.

Sources

1"Ransomeware Updates," Howard University, accessed 7 Sept 2022.

2Marousis, Athena. "Cybersecurity Training Lags, While Hackers Capitalize on COVID-19," TalentLMS, 6 Apr 2021.

3"2022 Data Breach Investigation Report," Verizon, accessed 7 Sep 2022. PDF file.

4"Take Control of Email Security With Human Layer Security Protection," Forrester, Oct 2021. PDF file.

5"Cybersecurity Supply and Demand Heat Map,"Cyber Seek, accessed 8 Sep 2022.

6Morgan, Steve. "Cybersecurity Jobs Report: 3.5 Million Openings In 2025," Cybercrime Magazine, 9 Nov 2021.