“You have four weeks to create strong cybersecurity habits in a business with 500+ employees. What would you do, and why?”
Granted - such a request “may indicate a big problem in [the board’s] understanding of security,” as Fred Scholl (Monarch Information Networks) points out below, because in this scenario, “[t]he CISO has failed to proactively educate leadership.”
We posed the question to our circle of InfoSec Luminary Lineup contributors anyway. Nothing focuses the mind like a deadline.
Jordan McQuown, CIO at LogicForce Consulting, writes in response: “[U]ser awareness, reinforcement and training are key to improving security habits.” So how do we get there, fast? Jordan reminds us that “[t]ypical attackers are looking for easy targets” - and provides ample advice how to frustrate their plans.
Richard Caplan (LeClairRyan) points out the importance “to clarify the rules and responsibilities” in such a concerted effort. And like Jordan McQuown , Joseph Raczynski (Thomson Reuters Legal) urges CISOs to create teachable moments: “Companies need to phish their own employees.”
Steve Durbin, Managing Director of the UK-based Information Security Forum (ISF), includes a warning in his contribution. Given the time restraints in this scenario, he writes, “[l]ooking for a silver bullet will be a waste of time.”
Steve advises to step back and understand the bigger picture first, then “let risk drive the solution” His “Ten tips on how to make cybersecurity a habit on a deadline” round out this InfoSec Luminary Lineup.
Tip #4 on his instructive list below is our favorite. Why? Because Silo, the browser-as-a-service for the secure enterprise, was built for this purpose.
Employee training will only go so far. We developed Silo to keep employees safe and productive, without security tradeoffs, and their business and personal data secure, when they access the web.
Global financial service providers, leading law firms (download this whitepaper [PDF] from SlideShare) and some of the largest federal agencies use this secure virtual browser because its unique patented technology keeps their local IT completely insulated from all those web-borne exploits that regular (local) browsers are exposed to when employees access the web.
Find out more about Silo and how it works here: Why a Virtual Browser is Important for Your Enterprise.
Interested in contributing to future InfoSec Luminary Lineup discussions? Contact us using the form at the bottom of tghis page, or one of the links at the top.
“Create an Environment of Trust” (Jordan McQuown)
To build a strong cyber awareness program, you first have to take a few steps back and understand the information, systems, and users you are trying to protect.
Without a clear understanding of the potential threats, information assets and the extent of user activities and their proclivities, it is impossible to establish a baseline with a correlating and meaningful budget.
My teams often encounter companies that allocate significant spend on information security threat prevention with minimal budget allocation to detection and awareness.
Determining a baseline for end users should include the applications used in the organization, including file sharing applications, email activity, instant messaging apps, etc.
Lack of transparency in the corporation’s network can lead to data exfiltration and result in threats going undetected. At this point, SIEM (Security Information and Event Management) or other log aggregation methods should be used to gain perspective of web traffic, application traffic, DNS monitoring, sign-on and sign-off events, etc.
The implementation of appropriate prevention and detection tools with associated techniques requires an understanding of historical patterns. After identifying the systems, architecture, and user baselines, putting a written security policy in place with executive support is imperative.
Password policies without follow-through result in apathy and complacency
We often see clients with very strong information security policies with little or no actual implementation, let alone ongoing modernization. This disparity often leads to widespread apathy, which in turn leads to increased systems vulnerability.
A prime example are password policies. Often we see password policies requiring 12 character passwords with complexity requirements, which is a good starting point - in theory.
Practically, users in the same organization were never forced to change their passwords. They may have used the same passwords since they were hired - which can predate the password policy.
This example illustrates that user awareness, reinforcement and training are key to improving security habits going forward.
Potent tool: practical pranks - with a serious message
One effective method to create and raise awareness is through mock spear phishing campaigns. This kind of security exercise can include everything from sophisticated plugins trying to trick your users, to sending generic emails and monitoring who responds.
Users who continue to fail such tests need to undergo mandatory user training. While this method doesn’t guarantee prevention of a more sophisticated hack in the future, typical attackers are looking for easy targets. They will move on when they encounter properly trained users who don’t fall for the scam.
Nobody wants to fall victim to a data breach. So why do cybersecurity incidents still make headlines every day?
In my experience, one major hurdle for creating stronger security habits is that most users don’t understand the (technical) consequences of their actions.
As a best practice for companies who want to overcome that hurdle, I recommend ensuring that awareness campaigns highlight the risk and practical impact of security policy violations should be.
IT security pros need to create an “environment of trust”
On average, it takes more than six months before a data breach is detected. If we can get users to promptly notify IT about suspicious activity, this would enable us to prevent or certainly contain a breach.
What does it take? I think we as security practitioners need to create an environment of trust that allows users to bring forward their potential mistakes without embarrassment.
Information security programs that do not combine all of the aspects above will fall short. It’s just not enough for companies to pay for security hardware, write the best policy, or have extensive awareness training.
Weakness on any of these fronts will eventually lead to compromised systems and data.
That’s why it’s extremely important that the first step taken is to understand the potential threats, what needs protecting, user norms, and baseline the security posture of the company.
Misunderstanding or assuming incorrectly on any of these fronts will lead to incorrect spending of either capital or human capital, which will undermine the corporate security stance.
Jordan McQuown (LinkedIn: https://www.linkedin.com/company/logicforce-consulting-llc) is the Chief Information Officer at LogicForce Consulting. He has over 13 years of experience in the field of information technology and has consulted with numerous law firms in the areas of litigation support, electronic data discovery, and Information security practices. Jordan has conducted CLE presentations on eDiscovery, Information Security, and Litigation Technology for state and local seminars. Jordan received his degree in Computer Networking from Pennsylvania College of Technology. He holds certifications including CISSP and from the Global Information Assurance Certification/SANS Institute including GSEC, GCIH, GCFA. He is also an iConnect Certified Administrator, and NUIX certified eDiscovery specialist. He has also held certifications from Microsoft, Cisco, and VMWare.
“Consult With HR Leadership in Your Organization” (Dr. Fred Scholl)
If the board makes this request, it may indicate a big problem in their understanding of security. The CISO has failed to proactively educate leadership.
The alternative is that a breach just took place. Strong cybersecurity habits can't be developed in 30 days in companies of 500+ people. A firm of this size will have at least three levels of management.
Some people will be working remotely. Some will be contractors. Some will be traveling overseas.
So the new cybersecurity message can't even be transmitted to employees, let alone followed. The situation would be different in a smaller firm of, say, ten people, where a new message and practices can be set up in this time frame.
In a large organization, you’ll need more time.
This request reminds me of the 30-day "cybersecurity sprint" launched by the White House after the 2015 OPM breach. You can read up on the one-year-later results here: One Year After OPM Breach, Federal Cybersecurity Continues to Struggle.
My take is that the results from the 30-day sprint were not so good. But if the board makes this request, you need to provide some answers.
To do that effectively, you need to understand the problem. The underlying issue is not a security problem.
It’s an organizational change problem.
To solve it, you need to put on a different hat and consult with HR leadership in your organization.
Is there another ongoing organizational program you can learn from? If not, you can consult with books like "Leading Change," a classic by John Kotter.
Professor Kotter laid out an eight-step program for change, which I will summarize and apply to security:
- Establish a sense of urgency. Something is driving the board’s request. You should key off of that.
- Create a guiding coalition. You need to get a cross-functional group behind your initiatives.
- Develop a vision and strategy. The vision part should spur people to action.
- Communicate the change vision. Again, you should be working with HR to get the message out.
- Empower broad-based action. Find out what is inhibiting people from supporting your program across the company.
- Generate short-term wins. You need concrete accomplishments before the next board meeting.
- Consolidate gains. Expand out from your short terms wins.
- Anchor approaches in the culture. This can take months or years, but is the result of steps 1-7, done well.
I believe this method will make cybersecurity a solid habit in your organization.
“Clarify the Rules and Responsibilities” (Richard Caplan)
Before I know where things need to go, I need to know where things are.
I would begin by reading everything about the company as well as reading everything the company had put in writing on the subject (whether communicated to employees or not), assessing cyber pressure points and risks, and interviewing top technology and cybersecurity officials regarding ongoing programs, training, and communication with staff.
Next, I would execute a simultaneous “inside-outside” strategy.
Regarding the “inside” part, I would make arrangements to get in front of every employee at the firm. Conducting 500 individual meetings in four weeks borders on the impossible, so it would likely be meetings with groups.
This way, we make sure everybody knows how seriously the company takes this issue, and help employees understand both what is at stake and what can be done - really, what they must do - to minimize risk. I would also implement interactive training on how to react to certain cyber risk scenarios.
For the “outside” part, it is important to vet all risks posed by third parties such as vendors, contractors, and suppliers. There must be robust tools in place to address any risks from such entities. I would want to clarify the rules and responsibilities for all internal and external actors involved.
Richard B. Caplan (LinkedIn: https://www.linkedin.com/in/richard-caplan-bb4966b1) is a litigation associate with LeClairRyan in the firm’s Atlanta office. Richard practiced law in New York City for five years and clerked in Washington, D.C. for Judge Robert L. Wilkins on the United States District Court for the District of Columbia and then in Atlanta for Judge Beverly B. Martin on the United States Court of Appeals for the Eleventh Circuit.
The Trifecta of T’s in CybersecuriTy: Technology, Training & Testing (Joseph Raczynski)
Technology: First the organization must have everything in place within its technology infrastructure. Prior to any employee using the network, they must know that they are entering a safe and secure environment.
All reasonable and standard security protocols should be in place at a bare minimum. All patches completed, logs reviewed, firewall maintained, software tested and policies kept and monitored strictly.
Training: Each employee has to go through training about safety. We are the weakest link. Education revolves around what to click on and what to avoid.
The training must be educational and interactive. To develop and reinforce better cybersecurity habits, lectures on this subject should be complemented with active engagement and real-life scenarios.
Employees also have to understand the grander corporate picture and how it can affect the business – and ultimately them and their employment.
Testing: Industry observers say that the average phishing attack costs a business $ 1.6 million. These clicks have consequences. Business must take this threat seriously.
Phish your employees
Companies need to phish their own employees. The vast majority of hacking attacks on a business start with emails and with employees clicking on links they should not touch.
If you test your employees and find out that they are still clicking on dangerous links, it gives you an opportunity to adjust your training or give that person more tailored education.
And if the testing reveals an individual continues to click on phishing emails, you should find them a new role outside of your organization.
Joseph Raczynski (Twitter: @joerazz) is an innovator and early adopter of all things computer related. His primary bent is around the future of law and legal technology in several fields including machine learning, mobile, security, cryptocurrency, and robotics (drone technology). Currently, he is with Thomson Reuters Legal managing a team of Technical Client Managers for both the Large Law and Government divisions. Joseph serves the top law firms in the world consulting on legal trends and customizing Thomson Reuters legal technology solutions for enhanced workflows.
“Think Three or Five Years Ahead for Lasting Change” (Steve Durbin)
One of the first things people turn to when looking for guidance on implementing best practice in information security and governance is standards.
The issue we face right now is not that standards aren't available. If anything, there are too many of them, and they probably cannot keep up with the rapidly changing use of cyberspace or its threat landscape.
The result is that there are more than 50 different information security standards around the world – most of which, with one or two exceptions, are being developed and promoted in separate silos. This stands in the way of real progress and has created fog and confusion.
Still, selecting the right standard is the first step in the process of building cyber resilience and better cybersecurity habits. How do we develop suitable levels of cyber resilience that are based on actual levels of risk, without constraining day-to-day operations?
In the current resource-limited environment particularly, risks and regulatory requirements determine how organizations need to implement cyber resilience. To do so successfully requires involvement of every discipline within an organization, its partners and stakeholders.
Assemble multidisciplinary teams
A coordinated approach is needed - lead by senior business leaders, preferably the chief executive or chief operating officer, certainly a board member.
Organizations need to coordinate with customers, suppliers, investors, the media and other stakeholders. This will enable the organization to prepare and respond to events that are impossible to predict.
To build cyber resilience, governance with board-level support for monitoring cyber activities is essential. This includes monitoring partner collaboration and the risks and obligations in cyberspace.
Organizations need to have a process for analyzing, gathering and sharing cyber intelligence with stakeholders. They also need a means to assess and adjust their preparedness and resilience to the impacts from past, present and future cyberspace activity.
Furthermore, organizations should partner internally; sharing knowledge of risk and best practice across business units and functional groups.
Let risk drive solutions
In the scenario where you have a tight timescale to create strong defensive habits across a sizeable organization, where the focus is on delivering results, will you have the luxury of time to investigate the most appropriate standards and secure the organization-wide support required to make cyber resilience a way of corporate life?
Perhaps not. Looking for a silver bullet will be a waste of time – behaviors across an organization don’t change overnight.
Instead, let risk drive solutions. Ensure each solution has a direct link to business requirements and addresses one or more risks.
With a realistic timescale in mind, plan in detail to meet the short term goal, but think three to five years ahead for lasting change.
Ten tips on how to make cybersecurity a habit on a deadline
Use the following ten principles to kick start your program to build robust cybersecurity habits on a tight schedule:
- Form a strong baseline and measurement criteria based on risk as a starting point.
- Embed positive behaviors: Promote and value behaviors that facilitate people playing an essential role in strengthening organizational resilience. Enable people to recognize key moments and make the right decisions.
- Continue to look for alternatives: Challenge complex systems or cumbersome processes rather than forcing behavior change to accommodate them. Strive to ensure that new systems and processes are as simple and user-friendly as possible.
- Empower people: Win hearts and minds through trust, motivation and empowerment.
- Position people to make information security a critical element of “how things are done around here.”
- Aim for ‘stop and think’: Prepare people to make the right decisions – or to know when to consult: if everyone stops and thinks at key moments, the battle is won. Do not attempt to train people for all occasions – it’s impossible in today’s business environment.
- Move from ‘tell’ to ‘sell’: Design persuasive solutions which are tailored to the risk profile of segmented audiences. Recognize that ‘one size fits all’ solutions typically fail to engage everyone on a personal level.
- Tap into the right skills: Identify and deploy expert skills to define and implement solutions which are distinctive. Ensure the longevity of the program through a strong brand and identity.
- Identify and integrate champions into efforts: Identify a network of information security champions from the business to help introduce and sustain positive information security behaviors. Ensure the champions are trained and prepared to take on their role with confidence.
- Hold people accountable: Reward good behaviors. Address unacceptable behaviors constructively – in the same way as any other sub-standard performance.
Through the adoption of a realistic, broad-based, collaborative approach to cybersecurity and resilience, senior management and information security professionals will be better able to understand the true nature of cyber threats and respond appropriately.
Steve Durbin (on Twitter: @SteveDurbin) is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cybersecurity and the emerging security threat landscape across both the corporate and personal environments. Steve has considerable experience working in the technology and telecoms markets and was previously senior vice president at Gartner.
PS: Would you like to be included in future InfoSec Luminary Lineup discussions? Connect with us through one of the links at the top of this page or use the comment form below.
Check out these recent InfoSec Luminary Lineup discussions on the Authentic8 blog:
- How Can Companies Balance IT Security and Personal Web Access at Work?