An employee receives an email consisting of a brief, compelling call to action \u2014 something like \u201cWas this what you were talking about?\u201d Recognizing a coworker\u2019s name in the \u201cfrom\u201d line, the employee clicks on a link without a second thought ... and heads straight to a phishing site designed by hackers to gather sensitive information.\nBecause of this scenario and similar cyber attacks, many of today\u2019s most difficult security challenges fall under the rubric of \u201chuman nature.\u201d Andy Daudelin, vice-president for Cloud and Cloud Networking at AT&T says that\u2019s why \u201cIt\u2019s essential that companies make things virtually effortless for their employees.\u201d\nWhile technology can help in the form of easily deployed, user-friendly security solutions, employees also need education on security policies and the need for compliance \u2014 especially since they increasingly are under cyber attack.\nSocial Engineering in the Social Media Age\nToday, every employee with a company-issued email address is only a click away from a potentially catastrophic security breach. Everyone from office staff in corporate HQ to road warriors checking email in coffee shops halfway around the globe is vulnerable to social engineering. Every employee is on the firing line.\nThat\u2019s because spear phishing and other attacks allow cyber criminals to gain sensitive personal information, such as user IDs and passwords, and even physical addresses and social security numbers through channels victims trust. Spear phishing attacks employee data previously gathered via social media or preceding breaches to sharpen the tip of the spear, and can be highly effective. In a recent study, cybersecurity solutions provider Phish Me found that the spear-phished attack is the root cause of 91% of all major security breaches.\u00a0\nOnce a victim is induced to click a link in an apparently friendly email, link shorteners or embedded links redirect victims to web pages visually indistinguishable from their legitimate counterparts, with the only evidence of fraud buried in a nondescript URL at the top of the browser window. From there, unsuspecting users may be induced to release information.\nThe most effective phishing schemes create a sense of urgency, pushing victims to click first and think later. Ironically, some phishing schemes piggyback on recently publicized security breaches, urging users to download updates or type in passwords to secure a system or account. The employee\u2019s well-intentioned response backfires as he or she executes malware inside the company firewall, or reveals personal and company information.\nSearchable public social-media profiles can provide hackers with most of the raw information needed to initiate socially engineered attacks without ever setting foot inside a company\u2019s offices. Public-facing org charts with enumerated roles and responsibilities, social-media accounts including family member and coworker names, and other personal information are public and searchable, helping cybercriminals impersonate trusted individuals, and create those security-breaching clicks.\nNew Complexity, New Vulnerabilities\nThe adoption of bring-your-own-device policies and cloud services presents additional security challenges. According to Skycure\u2019s 2016 Mobile Threat Intelligence Report as much as one-third of mobile devices present a medium-to-high risk of exposing sensitive corporate data. More than one in five uploaded documents may contain sensitive information. While protected in transit, only 9.4% of this data is encrypted when at rest on cloud servers, creating new opportunities for hackers to steal data, using stolen credentials.\u00a0\nKeeping on top of the many file-sharing services and mobile applications in play also presents constant challenges for IT managers, as they work to balance security with the ever-increasing flexibility demanded by modern work environments.\nThe increasing strain placed on IT security professionals and managers, along with the multi-front warfare waged by cyber attackers on everyone in organizations large and small, means every employee must become every organization\u2019s first line of defense.\nMeeting the Challenge: Cyber Security as a Shared Responsibility\nManaging the complexity of the typical enterprise\u2019s more than 30 different security products\u00a0often requires the participation of frontline employees, who now are called on to be vigilant as they never have before.\nYet in the face of rapidly evolving cyber threats, a recent survey of 287 U.S. IT professionals by IDG publications Computerworld, CIO, and CSO, found 56% of companies reported having not updated their information security models in the last three years. Many IT managers admit to feeling outmanned and outgunned by the growing hacker armies.\nAs the lone-wolf hacker is supplanted by well-funded teams supported by governments or other organizations, the need for engagement by every connected employee within the enterprise becomes critical. Employee security education often becomes the logical choice to defend and prepare complex networks for effective responses to these new security threats.\n\u201cAs the bad actors continue to become more creative and advanced in their attack methods, we will be doing the same with our identification and defenses to help mitigate whatever they\u2019re doing,\u201d says Alex Cherones, director of Threat Security Solutions at AT&T. \u201cIt\u2019s a game of cat and mouse.\u201d That means even employees not traditionally associated with IT security must do their part.\nClearly, the rapidly evolving security challenge is too big to be addressed by any single team or single stakeholder within the enterprise. With that in mind, involving everyone in an enterprise who may be affected by a cyber attack \u2014 and coping with the inevitable breaches to come \u2014 developing, and practicing incident-response procedures have become keys to information security best practices.\nProper incident response requires all hands on deck in the form of cross-functional teams, including input from the C-suite, IT, security, legal, and others across the organization, as well as partners and vendors. This incident response must be drilled and tested to determine effectiveness and improve ability to mitigate risk.\n\u201cHackers and vandals are now so sophisticated, it\u2019s nearly impossible for individuals to spot and stop threats,\u201d says John Donovan, chief strategy officer and group president for Technology and Operations at AT&T. \u201cThe network itself must become a security tool.\u201d\nIn short, to err is human, but to protect and prepare is divine. For more information about how you and your organization can respond to today\u2019s rapidly changing security environment, click here [URL].