I don’t have to tell everyone about the seriousness of cybercrime and its effect on our businesses. The amazing thing about cybersecurity and cybercrime is that often times too much attention is paid to the cyber part, and not the security part. You could hand me 10 cybercrime cases and I could show you a host of human mistakes that were made.
Awareness Of Cybersecurity Issues. This is a non-technical article so we are going to talk mostly about the human side. Fortunately, the human side is where you can make the most difference anyway.
The most important thing to understand about awareness is your awareness of individual cybersecurity issues as an executive matters somewhat. But the most important area of awareness are with your individual employees within their functional areas.
These employees are your first line of defense in most cases when there is a cybersecurity issue. Because most cybersecurity issues occur before there is an attack. For example, I was working on a project several years ago with a large fortune 500 company and they had locked areas within the secured campus. But it was very easy to obtain the combination for the lock from one of the employees inside of the locked area. It was all very casual. There was not an employee there that really understood the seriousness of this issue.
The damage to that company’s security could have been catastrophic. So the first place to start is to create awareness within your user community, your rank and file employees. They need to be empowered with the ability to spot and report any type of security problems. Such as unlocked doors, passwords stuck to monitors on sticky notes, people talking about passwords to each other, fellow employees bringing in unauthorized computing devices. Essentially the employees as a whole should undergo training on a regular basis on what to look for and how to report it.
You want to turn your employees from a source of risk for your company to your eyes and ears. The job is simple for their part but multiplied by the number of employees multiplies your protective capability.
Understand Your Own Threat Environment. The concern about Internet of Things or IoT and the threats to these devices security is rampant. So as managers you need to understand what you are dealing with. This requires regular and complete security audits of your environment. This is not something that should be done by your IT department, there is too much bias there. This should be done by a trusted third party. And if you want it to be truly effective you need to make these audits confidential and known by as few people in the company as possible. It is best to use a trusted advisor that can report to the executive level of the company. This advisor needs to be either a security services company or a security consultant or advisor. Areas of concern:
- Wireless networks as a whole
- Any wireless connected devices including IoT devices
- Unlocked or unorganized phone closets
- Employees talking on the phone with unknown persons about company sensitive information
- Employees taking company resources or information home
- A non-existent or incomplete set of cyber security policies and procedures
Success vs failure. I worked with a company a couple of years ago and they had put into place a very good IT security infrastructure. But the employees did not have very good security awareness. So they had the cyber part covered and not the awareness part. A hacker actually got into their building, maybe he knew someone on the inside. And then he attached a wireless access point to an empty Ethernet port on the wall. Once he did this he had complete access to their network and connected wirelessly to their internal corporate network from outside the company. It would have been very simple for someone to ask. Who is this guy? Or why is this device sitting in this empty cubicle?
In another company I encountered an environment where the employee population had undergone security training and they had built a very simple and effective security regime. They were using a trust model of cybersecurity risk assessment. Everyone knew who they could trust with what, and if they did not know they had a security authority they could go to the find out or report incidents. It was a simple set of rules that could be followed by everyone even the cleaning staff.
The awareness of our vulnerability can be a particular area of concern. Always know where you stand. In order to do this, you need to be looking at more of a preventive approach as opposed to a more reactive approach. This one will involve strategy and you IT department. This goes to a strategy for your IT department. IT should be looking for ways to scan your threat environment in order to prevent attacks and not just to wait until the attacks occur so they can react to them. This is extremely important moving forward as the sophistication of attacks is getting more complex and the need for a quick response is critical. The average time from a major breach until it is discovered is 4.5 months. Your IT department needs to be aware before the attack begins. That requires good alerting tools, as well as a set of policies and procedures in place to aggressively look for threats. If this cannot be done in-house there are companies that can help with this, but it must be done. Doing these steps will greatly increase your cybersecurity posture.
Jerry Hutcheson is owner of Cybercreed Consulting.