With each highly publicized data breach or cyberattack, it becomes increasingly evident that businesses can’t sit back and hope their security strategy is strong enough to withstand an assault. Something needs to be done sooner rather than later – and you need the support of your employees.
Why employees are hesitant
You can design a thorough, comprehensive cybersecurity strategy that protects your business from all major threats and weaknesses, but all of your efforts are futile without the support and cooperation of your employees. They’re the engines that make the entire operation run. Without them, you’ll find it impossible to execute to the degree that’s necessary to be successful.
Unfortunately, employees aren’t always immediately willing to buy into a new security strategy. Their hesitancy is usually rooted in three underlying factors:
- Lack of awareness. Sometimes employees simply don’t understand the need for greater security. As such, they view any new rules or changes as unnecessary and a waste of resources.
- Inconvenience. Even when employees do understand the need for advanced cybersecurity, they can be hesitant to adopt new solutions that are inconvenient on the user side of things.
- Resistance to change. One of the major underlying factors is a resistance to change. People generally prefer to maintain the status quo and will do whatever they can to avoid significant change.
In order to get employees to buy into a new security strategy, you’ll have to identify which of these factors are in play and overcome them through careful execution.
How to get employees on board
Getting employees on board with your new security strategy isn’t a challenge to take lightly. However, here are some simple steps you can take:
1. Help employees understand why.
Employees don’t always have the same level of understanding about security issues that you possess. It’s not something they have to worry about on a daily basis, so it doesn’t seem like a pressing issue. It’s your job to make them understand why it’s important.
Two-factor authentication (2FA) is a great example. Initially, employees won’t like the idea of having to perform two steps in order to log in – understandably so. But you can help them understand why it’s necessary.
InMyArea.com explains it like this: “2FA is your last line of defense and a very good one at that. Should a hacker compromise your unique password, they still would not gain access unless they had your cellphone and could receive the 2FA unique code.”
Sometimes an explanation is all that’s needed. Take the time to explain why you’re implementing changes and what value it yields the business and its employees.
2. Cast a vision.
In conjunction with explaining why new security measures are needed, you also need to lay out a vision that helps them connect the dots.
“Clearly state what is changing and why. Show employees where you are today and where you intend to be tomorrow,” entrepreneur Lindsay Broder writes. “Make sure you show them why this matters to the organization, how it will positively impact their careers and how you plan to measure success.”
3. Implement the right training.
The best type of training happens when employees are able to participate, as opposed to being subjected to classroom learning and lectures that are difficult to grasp.
The training portion of your implementation is arguably the most important piece. Take it seriously and develop exercises and practices that teach them how to handle specific situations that they’ll encounter on a regular basis.
4. Follow up.
After implementing your new security strategy, there has to be some follow-up. In other words, you need to gather feedback, analyze data, and address how change is happening on both a micro and macro level. Anything that isn’t adding up will need to be changed, optimized, or refreshed.
Get the ball rolling
Don’t underestimate the importance of having support from the bottom-up. You can’t implement a successful cybersecurity strategy without getting your employees to fully buy in. By focusing on their hesitancies and resistance, you can improve adoption and enjoy a smoother roll-out.
What will you do?
Editor’s note: For more insights on this topic, see research from ISACA and CMMI Institute on building cybersecurity culture.
I recently took to LinkedIn to air my views on one of the most talked-about topics in the world of tech: the cybersecurity skills gap. The skill gap is often discussed in urgent terms and, given my job as a cybersecurity recruiter, I see how it plays out in practice. But information security is a broad discipline, and I think we need to be more specific when we talk about a “skills gap.” I believe the genuine talent shortage is in hands-on areas, like application security and DevSecOps.
Last year, Forbes released an article stating that the cybersecurity skills gap is an “industry crisis.” As attacks get worse and more commonplace, it noted that companies need cybersecurity professionals more and more. But because of a perfect storm of scarce skills and high demand, security jobs come with a high salary, meaning that businesses not only struggle to find the right people, they have to pay top-dollar to get them.
All of that means that cyber-criminals are having a field day, as the article illustrates. Attackers take advantage of ill-prepared companies, knowing that they are likely to be successful. It’s clear that the industry does need to improve, for the sake of customers and businesses alike.
And to do that, we need good people, with the right skills. The industry has known for a while that those people are not easy to come by – there are simply not enough of them. There are a lot of reasons for that shortage, and it’s worth bearing in mind that it’s not the easiest industry to work in; the stress of the work means that mental health issues are rife.
But I think that it’s not enough to say that we need to “fix the skills gap.” We need to delve deeper into where that gap actually is, how it comes about, and what we can do to fix it.
In my view, the really hard-to-find people are professionals with hands-on experience, who can competently throw themselves into application security and DevSecOps teams. As I wrote in my original LinkedIn post, these are areas where you may actually have to get your hands dirty, not just consult on what should be done.
From my experience in the cybersecurity recruitment industry, I think this gap exists because the most common route into technical AppSec is through a programming background. The job requires people with the right technical skills as well as a security-focused mindset, creating a hard-to-find niche. With hands-on roles, you need to be technically proficient as well as be able to understand and integrate security into the work. That’s not an easy thing to find.
A few industry insiders got in touch to give me their views on this problem. For Allan Degnan, DevSecOps/Security lead at Dixons Carphone, it remains about the people. By giving security staff opportunities to progress while remaining in a technical role, those talented people will be able to achieve the personal success that they want, while remaining in the technical positions that they enjoy and have trained for, rather than having to become managers.
Mario Platt, director of cyber security at Broadlight, told me that it’s about getting non-technical people comfortable with “actually touching tech” – and to do that, they need to be given the space to fail, he said.
What we don’t need are more consultants. Security consultants, of course, are valuable contributors to the cybersecurity world. But for now, we need to roll up our sleeves, and dig into addressing the skills gap in targeted fashion.
My first job in security – and in fact my first job out of school – was for a biometrics company. There were a lot of upsides to that job: the work was fun, the engineers talented (most of us fresh from school), and we had a cool project to work on. There were some downsides, too, though. For example, it left me with a skepticism of practical biometric applications – at least when it came to actually using them myself.
Don’t get me wrong, I was still an avid follower and fan of biometrics technology for years; I piloted it, deployed it, advocated it, etc. But for years – even decades – after that first job, I absolutely refused to use it. That may sound surprising from someone directly responsible for building and deploying the technology, but I think when you hear the reasons, you’ll understand why.
Specifically, the company I worked for was a startup. As anybody who’s worked for a startup can attest, budgets can be thin – and, as a result, when it came time to create marketing materials, we used an unmodified image capture of my right index finger as part of the marketing push. You know how you’ve seen biometrics companies sometimes use a fingerprint as part of their logo or on marketing glossies? Well, the image our company used just happened to be my fingerprint. To this day, if you know where to look, you can still find it; I won’t tell you how, but trust me when I tell you it’s still out there. My fingerprint was on the website, on marketing glossies, was shown on live TV, and was on business cards.
One thing that publicly advertising a high-res image of your fingerprint will do to you is make you nervous about how it might be misused. For example, I knew exactly how someone could inject that image into our system (or systems like it) and trick the system into logging you in as me. Having done exactly that routinely (for testing and QA purposes), I knew it was possible – even likely.
Adding to the skepticism was the fact that the engineering team I worked with came up with a few additional techniques to spoof the system. For example, the readers we used employed a smooth, glass platen (almost never done nowadays for authentication systems). It would sometimes – about a quarter of the time – retain a film of oil on the platen exactly conforming to the fingerprint ridges of the last scan. Properly shaded and with some dust or ground pencil lead, you could use this oil to trick the camera into thinking it was a legitimate capture. “Liveness detection” was an option of course, but frankly it was so “persnickety” (would increase the false reject rate so much) that nobody used it in practice.
The changing of the threat model
The reason I’m telling you all this is that something happened subsequently that I think is illustrative of an important point – that a change in the threat model can make all the difference in the safety (or not) of using a given technology for a particular purpose.
I say this because it happened to me with biometrics; I’ve gone from “avid skeptic” to “avid user.” I use it to log into my laptop, my phone, various different apps on my phone (password managers and the like), and sometimes even for physical entry to secure facilities. In short, the barrier went away.
What changed? That fingerprint image is, after all, still out there. Sure, the technology has changed a bit – most readers are capacitance now rather than optical, and extraction methods (such as how the fingerprint is processed and compared) are better and faster. But the essence of the process is still very much the same: a fingerprint is rendered down to minutiae and stored, subsequent minutiae extractions are compared, and a decision (is it the same or a different fingerprint?) is rendered. What’s different now is the threat model.
The threat model has shifted for a few reasons. In the context of a mobile phone, the fingerprint is taking the place of a PIN or password to gain access to the device itself – the same is true of my laptop. Meaning, someone would need to have the actual device itself – in addition to the fingerprint – in order to actually misuse or try to spoof the biometric. It’s not a remote login scenario like replacing my network/domain password or using it for login to a website or remote resource. Am I nervous about someone downloading and using my fingerprint for login to my phone? Not so long as they need to actually steal my phone or laptop to do it. It seems to me that anybody going to the trouble to steal my equipment could just as easily log in other ways and save themselves the hassle.
For actual physical entry to a secure facility, the threat model doesn’t concern me, either. There are a number of other supporting controls beyond just the use of a single biometric (such as hand geometry or fingerprint). They are probably also looking at my ID, there’s a PIN or password that I need to know, a badge to wear, and people that will throw me out if I look suspicious. It’s one link in a chain of which several elements would all have to fail in order for something bad to happen.
The point I’m trying to make is that the threat model determines the suitability of the control and can mean the difference between a technology being safe or not, a control being sufficient or not, and an application deployment being viable or not. In other words, basing what we deploy – and how we mitigate risks – on the specific threat scenarios that may be reasonably encountered in the field is critical. This is why systematic and workmanlike threat modeling (using whatever flavor of model you prefer) is so important and, in my opinion, why more people should do it. In fact, if I had taken the time to threat model the whole “fingerprint image as marketing” proposition, I probably would have (wisely) pushed back. Threat models can change (to become either more risky or more safe) depending on how and where a given technology will be used or how and where a given control will operate. Understanding what those factors are – and when they change – will absolutely provide value.
It’s important to think about leadership in the cybersecurity realm through the lens of the “lines of defense” model. If you are a leader that is executing in the first line of defense (1LOD), then your job is the proper and timely execution of control activities (processes and technologies) to ensure that your organization is properly protected. If, however, your job is in the second line of defense, (2LOD) then you need to make sure that you have thoroughly communicated the risk associated with various actions (and lack of action) to decision-makers so that they can make an informed decision.
This clarity is often muddled as most cybersecurity organizations find themselves operating in what is often called the 1.5 line of defense. They operate some controls: data loss prevention (DLP), endpoint detection, protection, and response (EDPR), intrusion detection, and incident management. However, they also are frequently responsible for reviewing configurations and patching, as well as involved with features and capabilities of applications, infrastructure, and third-party organizations, and advising on the good, the bad, and the ugly therein.
Being an effective cybersecurity leader while working in the 1.5 line of defense is about maximizing two distinct, yet opposing, principles. First, you have to manage cybersecurity operations as if you can 100 percent, absolutely defend the organization from every bad thing that can befall it. Staff in these organizations need to know that they have the ability to prevent attacks from happening and can catch the perpetrators in their tracks. They need to know that you are going to invest in them, their training, and their capabilities to ensure they can protect the organization.
At the same time, you have to know that, on a long enough timeline, everyone fails. There will be mistakes made by people in the organization or by business partners. You won’t be able to get funding for all the resources and technologies you need to mount the best defense. You may be attacked by someone who has the capability to overwhelm your defenses, despite all efforts to the contrary. Lastly, the threat and vulnerability landscape changes so often that there can be hidden holes in your defenses that might not come to light until after it is too late.
Being an effective cybersecurity leader means helping your staff avoid the burnout, guilt, and depression that comes from not getting the headcount needed, the funding for the new project, or worse yet, experiencing a data breach when the inevitable comes to pass. To lead effectively, you as a leader need to employ the principle of ensuring informed decisions happen and residual risk is accounted for and governed. The business doesn’t have to invest in every security solution available (in fact, doing so may impede their ability to effectively operate), so long as you have appropriately informed stakeholders of the bad outcomes that could come to pass from not choosing the more secure option, and having them accept the risk associated with such bad outcomes.
Risk acceptance is the cybersecurity leader’s “get out of jail free” card – not in an “I told you so” way, but in a cooperative manner that helps the business view you as a partner, not an impediment, and the cybersecurity staff feel as though their concerns have been addressed.
About the author: Jack Freund, Ph.D., CISA, CISM, CRISC, is Director, Cyber Risk Management for TIAA, member of the CRISC Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.
Security improvements are often viewed skeptically, as they always seem to be associated with higher time requirements and rising costs. This is not always the case, because common types of business process optimization (Gadatsch 2017, p. 35 and Bleicher 1991, p. 196) can be triggered or facilitated by security improvements:
• Removing process activities is useful if an activity does not have a positive effect on the result. If activities involve a security risk without being required by business, removing these activities can not only increase security, but also optimize the process. For example, a media break that involves a data conversion should be removed because of potential integrity problems. If one single medium can be selected for the whole process, the process will be optimized and the security improved.
• Outsourcing can be achieved by transferring activities from one process to another. Activities or entire processes can be outsourced to external organizations. Outsourcing is recommended for activities that can be carried out more efficiently when outsourced. Certain security activities can be performed faster and more reliably by specialists. Examples include vulnerability scans, penetration testing and source code analysis. These activities require a certain expertise that other professionals, such as software developers or network administrators, often struggle to acquire.
• Summarization means that two or more activities are combined into a new one. The advantage of summarization is the reduction of interfaces at which data must be transferred. From a security perspective, interfaces often involve the risk of data compromise, manipulation, or corruption. However, the separation of functions, which is an important security principle, must not be impaired. Otherwise, manipulations and other security violations are less likely to be detected by colleagues.
• Parallelization is suitable if sequential activities can be carried out in parallel or if an activity can be divided into several parallel activities. Often, security activities can be carried out in parallel to business activities. Improving security can be advantageous to product quality. Besides, existing processes will not be delayed if additional security activities are integrated.
• Relocating activities leads to an earlier execution of activities. This can shorten the time needed for executing a process. Especially in information security, relocation has an important status for optimizations. If security activities are performed sooner in a process, fewer design issues arise and less time-consuming reworking is required. Security by design is a principle that aims at embedding security as early as possible, thereby optimizing processes.
• Accelerating activities leads to shorter process times, such as by providing additional work equipment. This means less waiting time, which is not only an advantage for the business, but also for security. Certain security processes are very time-critical, such as the distribution of security patches, the response to security incidents and the activation of recovery mechanisms. Besides, business processes can become more secure when accelerated; for example, faster patenting of new ideas reduces the risk of stealing ideas.
• Avoiding loops can be achieved by certain checks, like input checks and integrity checks of data submissions. Mostly, the integrity of data can benefit from additional checks, whereby errors and subsequent corrections and rework can be avoided. Ensuring that errors are identified as early as possible not only improves security, but also eliminates time-consuming loops.
• Adding activities can ultimately increase the quality of the final product. Information security can be a quality feature. Some customers take security for granted, especially in IT products. Adding security-improving activities might require more effort initially. However, by considering security as an important component in overall quality, both the business process and the resulting product will be improved.
As much as tools and technology evolve in the cybersecurity industry, organizations remain reliant on clever, well-trained humans with incisive critical thinking skills to protect themselves from the perilous cyber threat landscape. But just as the threat landscape continues to expand, so, too, does the corresponding skills gap that puts organizations at risk of major financial losses and irreversible damage to their brand reputations.
Finding and retaining a sufficient pool of qualified cybersecurity professionals grows ever more challenging, as reflected in ISACA’s recent State of Cybersecurity 2019 research. The retention piece can be especially problematic, particularly for organizations that face substantial resource limitations. Better financial incentives, such as higher salaries and more lucrative bonuses, overwhelmingly came across as the top reason why cybersecurity professionals change jobs, with other considerations such as career development opportunities and better work culture/environment also factoring in among the leading reasons.
The State of Cybersecurity 2019 report reveals several problematic data points about the current cybersecurity workforce outlook, including:
- 69 percent of respondents say their cybersecurity teams are understaffed
- 58 percent indicate their organizations have unfilled cybersecurity positions
- 32 percent report it takes six months or more to fill cybersecurity jobs at their organization
That last statistic is especially troubling. Think of the enormous damage a cyberattack can inflict upon an organization in six hours, let alone the six-plus months that it takes 1 in 3 organizations to fill an open cybersecurity position. That it takes so many organizations such an extended period to secure the candidates that they are looking for is indicative both of the need to cultivate more people to become interested in the cybersecurity profession and, thinking realistically, of the need for organizations to come to grips with the need to reskill and train candidates who might not check every desired box on the job description. Rather than wait six months or longer in hopes that the ideal person walks through the door, organizations would be well-served to take technologically-savvy candidates with tangential skills and bring them into their cybersecurity teams, realizing that a commitment to training and professional development will be needed.
Looking beyond conventional candidates
Along those lines, organizations should become more receptive to seeking out talent from non-traditional backgrounds. As my ISACA colleagues noted in a panel discussion this month at the RSA conference, veterans and others from non-technical backgrounds who possess skills and interest that align with cybersecurity roles often can rise to the occasion when given the opportunity. Furthermore, the cybersecurity industry must do a much better job attracting and retaining women in the field. The underrepresentation of women in the cybersecurity profession is an important piece of the overall skills gap faced by organizations globally. Taking these factors into consideration, organizations would be well-served to develop a business plan that redefines their protocols for how security talent will be attracted and retained.
Little margin for error
Organizations can build and retain effective cybersecurity teams, but the margin for error is slim. Quality cybersecurity practitioners will have many options, so the onus is on enterprise leaders to give them a compelling reason to want to come – and stay – at their organization. Offering a competitive salary is a natural starting point, as the State of Cyber 2019 report reinforces. When budgeting for the overall scope of their security teams, leaders might need to resist the temptation to purchase the latest intriguing tool or gadget if it comes at the expense of being able to offer key team members competitive salaries. Beyond the pay component, there are other areas in which organizations should take stock of what they are offering to make sure team members feel appropriately valued. To that end, organizations should invest in performance-based training for existing staff to groom more practitioners who are technically proficient – often the most elusive professionals for organizations to find. Instilling an upbeat, team-oriented culture also can go a long way toward preventing employees from looking elsewhere.
With each passing year, the recognition that robust cybersecurity is a central business imperative for all organizations in the digital economy becomes increasingly widespread, but there is a difference between knowing cybersecurity is important and having the vision and commitment to put an effective security program in place. That starts with bringing aboard quality cybersecurity practitioners, and then providing the ongoing training needed to fill in knowledge gaps and keep professionals current on the latest attack methods they will be tasked to combat. While artificial intelligence and automation-driven tools will prove useful for enhancing cybersecurity in the coming years, that doesn’t change the reality that no organization will be on secure footing until it has the right people in place to strategically address cyberattacks that will continue growing in volume and sophistication.
Editor’s note: This post originally appeared in CSO.
The theme of last week’s RSA Conference 2019, “Better,” gave ISACA the opportunity to engage with information and cybersecurity professionals on how we collaboratively move the technology field into a better future.
ISACA kicked off RSA with the release of part 1 of the 2019 State of Cybersecurity report, which revealed insights into issues affecting the cybersecurity workforce and the skills that are currently most in demand.
ISACA leaders addressed this topic in their panel, “Building—and Keeping—Your Cybersecurity Team with Nontraditional Staff.” Rob Clyde, CISM, ISACA Board Chair, walked through key data from the 2019 State of Cybersecurity report, then moderated a discussion on how cybersecurity teams can source talent from diverse backgrounds and skill sets. Joining Clyde were panelists Tracey Dedrick, ISACA Board Director; Tammy Moskites, managing director, Accenture; Gabriela Reynaga, ISACA Board Director and founder/ CEO, Holistics GRC Consultancy; and Gregory Touhill, ISACA Board Director and president, Cyxtera Federal Group, Cyxtera Technologies, Inc.
To illustrate how common it is for people to join the industry from other career or educational paths, Clyde asked the audience of over 75 attendees, “How many of you studied cybersecurity and then went immediately into a job?” Only a couple attendees raised their hands.
The panelists shared some of the qualities that non-traditional job candidates can bring to a team. Dedrick noted that she likes to hire people who are the first generation in their family to go to college, noting they often “know how to not take things at face value, and to negotiate.” Both Moskites and Touhill emphasized the importance of new hires having a strong desire to get into the industry. “You want folks who are naturally curious and eager to solve problems,” said Touhill. Added Moskites, “I look for anyone with that ‘fire in their belly’ who is eager to learn,” noting that she once hired someone who had previously worked at a grocery store filling food containers, because of that person’s drive and passion—and this person turned out to be one of her best employees.
Reynaga and Touhill also shared their recommendations on how to attract more women and military veteran candidates to cybersecurity jobs. “There needs to be flexibility in scheduling for both men and women,” said Reynaga. Touhill noted that HR professionals need to have relationships with their local military bases’ transition offices, saying, “If you’re not, you’re cheating yourself out of a great talent pool. Veterans want to continue their mission.” He added that the Wounded Warrior Cyber Combat Academy is another place to look for veterans with cybersecurity skills.
Later that day, ISACA’s SheLeadsTech program hosted a panel that continued the conversation, focusing on how to attract and retain women in cybersecurity roles. Clyde introduced the group, including moderator Moskites and panelists Reynaga, Dedrick and Kim Dale, CISA, CISSP, IT Audit Specialist, Federal Reserve Bank of Chicago. The four women shared the stories of their career paths and challenges faced along the way—including one sharing how it felt to be the only woman on the leadership team, and another panelist recalling how she was once told that a more senior role wouldn’t be appropriate for her because she should be focused on getting married and having children. They provided advice for other women around applying for jobs even if not all qualifications are met, charting your own path if others try to hold you back, and to define what success means to you, even if it’s not considered “traditional.”
ISACA plans to continue these conversations well beyond the conference, promoting initiatives that lead the industry and engage all information and cyber security professionals toward “better.”
To learn more about the ISACA 2019 State of Cybersecurity Report, click here.
To learn more about SheLeadsTech and to get involved, click here.
We know that phishing attacks are on the rise, but did you know that more and more executives are falling for these phishing emails every day? New phishing campaigns targeting executives are intelligently crafted and difficult to spot. Traditional hardware/software protection cannot keep up with rapidly evolving phishing methods. They easily bypass spam filters and Business Email Compromise protection solutions, and successfully get executives to reply, click on links and open documents.
One blatant example, according to the Agari Cyber Intelligence Division's London Blue Report, describes how a criminal organization, structured just like any modern organization, created “a list of more than 50,000 finance executives that was generated over a five-month period in early 2018. This list was likely used by London Blue as a massive targeting repository for their BEC attacks. Among them, 71 percent held a CFO title, 12 percent were finance directors or managers, nine percent were controllers, six percent held accounting roles, and two percent had executive assistant titles.”
According to Intermedia, 34 percent of executives/owners and 25 percent of IT workers themselves report being victims of a phishing email, more often than any other group of office workers.
From my latest research speaking to customers whose executives were targeted successfully, the first emails that came in had NO links or files contained in them. The hackers are doing their research on these executives and their contact circles, so they can send simple emails from organizations and people that the targeted executive has done business with or interacted with before. These first few emails are used to build trust, so that at some point in the future the target will click on a link, open a document or, even worse, tell an assistant to respond on his or her behalf.
By August 2018, at least 400 industrial companies were targeted by spear-phishing attacks disguised as legitimate procurement and accounting letters, according to Kaspersky Lab.
These folks are smart – very smart. They know that for lower amounts, fewer approvals are required, so they will typically seek approvals for the release of funds under US $50,000 per transaction. Now, add to this the fact that some organizations may not realize they have been phished until five months later, and that makes for a scary proposition.
Evolving phishing attacks mean that criminals are continually looking for new ways to completely mask their malicious URLs, especially on mobile devices. They either hide them behind a page like Google Translate that users are already familiar with or completely trick users with custom web fonts and altered characters. One of the latest approaches is to create an Office 365 meeting invite that contains quiz buttons or a poll asking recipients to pick the topic or date for the next meeting; employees that end up clicking are presented with a fake Office 365 login page where they enter their O365 credentials and then lose control over their email account. Another approach is an email that comes from someone you know with a request to take a look at something for them. When you click on the link or attachment, malware installs on your system, takes over your email client, and then emails the same message from you to all your contacts.
All is not lost, however. There is a way to help prevent and thwart these attacks. You need a security awareness program that instils a culture of security throughout your organization starting in the boardroom and leading by example.
According to Cybersecurity Ventures 2019 Cybercrime Report, “Training employees how to recognize and defend against cyberattacks is the most underspent sector of the cybersecurity industry.”
If more than 92 percent of all breaches and hacks are due to phishing, then employees with an email address, social media account, phone or tablet are your organization’s largest attack surface. Millions of dollars are spent on hardware and software security measures, yet still today, a single click from a single user can circumvent all the expensive protections in place. It may be time to rethink your approach to cybersecurity and start applying the Human Fix to Human Risk.
To effectively change phishing behaviors and build a security culture among executives and all employees, you need a comprehensive awareness program that is carefully planned, and which is based on your organization’s specific needs and objectives. This is difficult to achieve unless you apply a proven security awareness framework—an ongoing methodical approach – which should include these five steps:
Step 1 – Analyze your organization’s needs and objectives and develop a cybersecurity awareness program that generates results.
Step 2 – Plan your campaigns to stay on track and engage your workforce as well as your stakeholders.
Step 3 – Deploy an effective training initiative and witness behavior change as it happens.
Step 4 – Measure the performance of your campaigns against your objectives and demonstrate progress to stakeholders.
Step 5 - Optimize campaigns accordingly and update your program to incorporate new insights.
Without a framework, it’s just hit and miss, and you will never get your users, whether they are executives or not, to change their risky behaviors with an unorganized approach. A framework is designed to take everything into consideration – especially how people learn, adopt and maintain new habits. Taking such a methodical approach ultimately leads to a culture of security awareness … with dramatically fewer human-related security breaches.
Malicious and fraudulent emails will continue to bypass filters and malware detection solutions for the foreseeable future, allowing cybercriminals to make more money. But, there is hope if you leverage a tried and proven combination of phishing simulations targeting the C-Suite that include executive awareness training based on a pedagogical approach, continually reinforced with communication to change current behavior and help reduce your largest attack surface.
Editor’s note: For more insights on this topic, download the Phishing Defense and Governance white paper, released by ISACA in partnership with Terranova Security.
I live in Austin, Texas, USA, where the bumper sticker quotient is fairly high, although diminishing with every vehicle that comes here from places like Dallas (no offense, Dallas — I don’t have any bumper stickers on my car either). One of my favorites is, “If you’re not appalled, you’re not paying attention.”
I’m sure it was written with politics in mind, but it’s absolutely relevant for cybersecurity, too. Most security professionals — me included — remember a time when we were appalled, closely followed by a desire to be part of the solution.
I see stacks of security awareness materials. To be effective, the producers of those materials rely on an appalled and aghast audience. Fear, uncertainty and doubt often provide an “easy out” for those looking for shortcuts.
"If you only understood how important this is, and all the bad things that really bad people are doing in the world, you’d stop reading this poster/email/training module and change your password/use a password vault/enable MFA right now.”
The problem is, people are only temporarily appalled, and after the shocking breach headline fades, they are no longer paying attention.
When considering the world of consumer messaging and advertising, we’re led to believe that humor, optimism and a sense of purpose are better levers than fear to motivate action. Let’s look at three common security awareness fallacies and how we can improve the ways we communicate to get people’s attention and create positive, engaging awareness campaigns, instead of shock and awe.
Awareness fallacies and corrective controls
Didn’t you read my email/policy/standard? People are bombarded all day by messages from all kinds of media — email, TV, billboards, Facebook and Twitter. They cannot escape it. I’ve worked at companies where people routinely receive 200 emails a day. With that much noise, people cannot read and intelligently process every email they receive. They read or skim what they think is important. Their focus is on their priorities and no one else’s. Corrective control: Use more than one channel to say the same thing over and over again. Not everyone is reading everything, so use email, posters, social media, videos, graphics, events and more to get your message across in every media channel available to you.
Up to and including termination. You cannot threaten your employees into a culture of security. Creating a culture is a lot like creating a brand – you can influence it, but you never completely control it. A brand lives in the hearts and minds of everyone who chooses to participate in it. People have to want to be a part of it – you can’t force them. Compliance is critical, and there’s a time for language like “up to and including termination” when you’re assigning mandatory training or writing policy. But if you use this type of threatening language with your security awareness materials, you should realize that it’s contrary to creating a culture people will embrace. Corrective control: I know a lot of training and awareness managers (I was one) who run a small part of their program for compliance, but the rest is optional. That requires you to be good at engaging people to take part and be new culture adopters. Identify those in the organization who are early and eager adopters and enlist them to help spread the message.
Human firewall, weakest link, end user. Way too many security communications refer to people in really unappealing terms – how can we blame them for not paying attention? I looked for an example of a successful consumer messaging campaign that instructed people to be more like technology, instead of illustrating how technology serves humanity. I did not find one, and that’s probably a good thing. Corrective control: Use language that empowers. Impart information that make people better people — not the human element, firewalls, links or users.
Think about your company’s culture and your current approach to these common fallacies. Take a razor blade to all those appalling bumper stickers you might have on your security awareness training vehicles. Replace them with upbeat and engaging messages that educate and empower.
Editor’s note: For more insights on this topic, download a joint white paper from ISACA and Infosec.
If there were any question about the critically important role that information and cyber security practitioners play in the welfare of today’s society, there is new evidence spelling it out in stark, attention-grabbing terms.
Data fraud/theft and large-scale cyberattacks were each identified among the top five global threats in the latest edition of the World Economic Forum’s Global Risks Report. The other elements on the list: extreme weather events, failure of climate change mitigation and major natural events, such as earthquakes and tsunamis.
Think about that for a moment: protecting data and thwarting cyberattacks now have ascended alongside dealing with natural catastrophes as the most pressing threats demanding the world’s full attention.
In some ways, the cybersecurity dangers we face are similar to the other, naturally-occurring disasters that occupy the top spots on the global threats risk. Just like a city or village can appear perfectly tranquil one day, only to be torn asunder the next by a raging storm or fierce earthquake, too many organizations today are lulled into a false sense of security, preoccupied by business as usual, and then are blindsided by a major cyber incident that causes business upheaval from which they may never fully recover. But unlike most of the natural disasters that cause so much damage, humans are capable of preventing much of the suffering that results from attacks on our digital world. That is a challenge the security community must commit to addressing on a global scale.
Given that backdrop, it is encouraging that the gathering of world leaders in Davos for the 2019 World Economic Forum included extensive discussions around cybersecurity and its rising importance in the global digital economy. As Brad Smith, president and chief legal officer at Microsoft, said in a panel discussion in Davos, “It’s all about keeping the world safe. The world depends on digital infrastructure and people depend on their digital devices, and what we’ve found is that these digital devices are under attack every single day.”
Cybersecurity is a fundamental enabler of the digital economy, protecting organizational assets, contributing to business continuity, defending brand names, potentially providing a competitive advantage, and managing liabilities and risk as a whole. The failure of organizations to take sufficient action in protecting themselves and their customers from cyber threats has necessitated increasing regulatory involvement, with 2018 marked by the enforcement of the EU’s General Data Protection Regulation (GDPR) and similar policies being crafted in the US and elsewhere; Smith anticipates a large-scale federal privacy law in the US to be enacted within the next year or two.
While new regulation and the development of national cybersecurity strategies can be helpful, there is not one or two isolated steps that alone can keep us safe. Cybersecurity requires a holistic approach, taking into account people, process, technology, organizational structures, business strategies and addressing the overall business ecosystem, which nowadays is built through the interfacing of many actors. These actors increasingly work across international borders, meaning the more substantive dialogue that international leaders have, such as the conversations that took place in Davos, the more opportunity for meaningful collaborations that will drive toward real solutions. This dialogue must be ongoing and include both the public and private sectors, as well as academia and industry professional associations.
These challenges are only going to intensify in the coming years. The evolution of the cyberthreat landscape cannot be ignored, especially with the rapid proliferation of new technologies and the corresponding changes to business models. The fact that only 40 percent of respondents to ISACA’s 2018 Digital Transformation Barometer express confidence in their organization’s ability to assess the security of systems based on AI and machine learning suggest that the challenges will only escalate in the coming years as AI and other fast-developing technologies are deployed more frequently. The global public and private sectors are still far from being prepared for this reality. In particular, there is much work to be done in recognizing the need to take a risk-based approach to understanding organizational cybersecurity preparedness and in appropriately prioritizing and investing in training resources for security teams.
One of the more interesting comments at the World Economic Forum came from Troels Oerting Jorgensen, Head of Centre for Cybersecurity at the WEF, who said, “We must not sell fear but protect hope to make sure the good side of the internet is always in focus.” That is a great way to look at it, but even better than hope is confidence, and confidence must be earned by being prepared. While cybersecurity appearing so prominently among top global threats is a jarring sight for all security professionals, at least there is no ambiguity about the extent of the challenge. While there is only so much humans can do about a tsunami or prolonged drought, cybersecurity is a people-driven challenge that our collective ingenuity and resolve can go a long way toward addressing.
Editor’s note: This post originally appeared in CSO.