Seemingly every day, we’re reminded that companies need to work harder to stay secure during a time where cybercrime is rampant and many organizations remain vulnerable to attack. I’ve recently been speaking to the press about what can and should be done to mitigate these risks. I hope the following questions and answers will help shed some light on some key problems many organizations face, and help you decide what’s best for your business.
What happens if an organization focuses too much on the technology aspect of security and not enough on people and process?
Unfortunately, an organization is only as strong as its weakest link – and in terms of security, employees are by far the weakest link.
Technology plays an essential role in any defense, but at the same time technologies cannot stop an employee giving their details out over the phone to someone they believe is from the IT department. And it cannot stop an employee using their corporate password for on their favorite social media sites or writing down their hard to remember passwords.
Relying purely on technology as an organization’s only form of defense is extremely short-sighted; failure is inevitable.
How often are companies attacked because of a vulnerability caused by employees or company processes?
It’s hard to put an exact number this. But from experience, I would suggest it’s a very high percentage. Why wouldn’t it be? Cybercriminals spend so much time, effort and money defeating a technology or defense when employees are such an easy target.
In terms of hackers getting in, the most common issues are misuse of social networking, weak passwords and password re-use, privilege creeping, malware and lack of system patching. But the real danger is employees being unaware of internal security policies or the ones that unfortunately do not care enough and are careless and complacent.
How can CIOs and CISOs go about strengthening their strategy around people and process to ensure cyberattacks aren’t successful?
There’s no magic wand. There’s an infinite number of initiatives that can be introduced to help mitigate risk, all at differing costs and complexity. In simple terms, it’s about completing comprehensive risk assessments, creating policies and understanding industry best practices, evaluating possible technologies, and then, implementing a solution. More than anything, the plan needs buy-in at all levels and needs an appropriate budget.
Training should always be at the heart of an organization’s security program as technology alone will not stand up against a motivated attacker. Everyone within the organization should be made responsible for the security of its assets.
It’s also vital that personnel understand the technologies they are asked to manage and monitor. The intelligence gathered by security systems needs to be understood, so when an attack occurs, it is detected at the first possible opportunity with the correct processes and procedures, then followed.
How can CIOs and CISOs approach internal training and education in regard to security?
Employee involvement is crucial for the success of an organization’s security strategy. Creating a security task force whose members rotate so each employee has eventually been part of the task force is a great way to get everyone involved. Each task force could have a ‘security champion’, who would be the person who identifies the most beneficial improvement to current security processes. This system encourages employees to think actively as well as creatively about security to improve the company’s security.
There is often a disconnect between what employees know they should do security-wise, versus what they actually do in practice. This is one of the most challenging parts of cybersecurity training and education. In these cases, businesses need to make sure it is clearly explained what is prohibited and why – using real world examples of the repercussions of not following procedure. What might seem harmless to an employee, like using an unsecure WiFi network, could cause a business serious problems further down the line.
There’s no point just preaching security, it should be made fun. It’s also important to understand if the information given has been taken in. This is where regular security tests play a vital role. Bad security practices should not be tolerated if appropriate training and guidance has been given. At the same time good security practices should be rewarded.
Can you provide an example of an organization that suffered a major cyberattack because their people and process strategy was not up to scratch?
The breach at Target Corp in late 2013 springs to mind for a number of reasons. It is understood the attack initiated at a third party vendor, an air conditioning subcontractor through a phishing email. User education with regards to the opening of emails may have been able to stop such an attack from escalating.
An assessment by security experts at Verizon noted that while Target had a password policy, it was not followed. A file containing valid network credentials was found stored on several servers, with weak or default passwords used on many internal systems.
It was also reported that many systems were found to be unpatched, something a patch management policy should have covered even after Target’s security systems warned of possible issues. No credible incident response plan was in place, as a Target statement at the time highlighted that after the company learned criminals had entered the network, the team decided it did not warrant immediate follow-up.
Do you expect to see people and process strategies around security improving this year?
Security is finally climbing up organizations’ agendas, so hopefully improvements around people and processes will continue to be made.
Communications and information flow between the organization and its employees is vital – the risks and potential consequences need to be understood by employees through continued user education. It’s arguably the most cost effective approach to improving the security posture of any organization.
However, cybercriminals only need to find one hole in the defense, whereas as security professionals, we have to secure all. It’s never going to be an easy task, but sound user education and relevant processes are now more important than ever and should never be underestimated.