2017 – A New Hope
Protecting your company in 2017 should start from the inside out. Organizations have spent the last decade securing the perimeter from external threats with a fair amount of success. However, in the last couple years one of the most serious threats to cybersecurity stepped to the fore: the Insider. StaySafeOnline.org recently highlighted the importance of training more of your employees to become security aware. The idea is to have many eyes focused on securing an environment, much like the many sensors monitoring all aspects of a nuclear power plant; think of each employee like a sensor looking for threats.
Think of any successful Cybersecurity Awareness Program as having two distinct components:
The Business Component
Develop an easy-to-follow security plan – Create a security plan that is simple to follow and uses wording and explanations anyone in the organization can understand.
Backup information – Backup not only file share data but also users’ local files. The goal is to quickly recover from Ransomware or other attacks targeting user data. Ransoms don’t need to be paid for files of which you already have secure, recent copies.
Password Management – Implement multifactor authentication and authorization whenever possible to significantly minimize doubt that someone is who they say they are when working in your network. By adding additional dimensions to authentication, multifactor schemes promote the hacker’s task of stealing an identity (and thus, data) from a potentially trivial, automated task to one requiring considerably more time, money, and deliberate focus.
Ramp up email scanning and quarantine – The battle against email Spoofing continues. Potent and ever-developing weapons against this threat can be found among various email scanning utilities. Invest in the very best and make the users in your organization safer from dangerous threats, including themselves!
The User Component
See something, say something – Maybe a fellow employee is acting strangely, inserting an unknown device into a computer. Perhaps you’ve received an email “from your CEO” addressed directly to you and asking for your W2 information. Regardless of how seriously you think a suspicious activity could potentially impact your organization, report it.
Generating a password – Your helpdesk should provide users with tools to help generate their own complex passwords, like LastPass. If automated tools are not available or desirable, the helpdesk should be prepared to provide users with password-generation advice which accurately conforms to specifications deemed appropriate by the security team.
When in doubt – When you receive an email with an attachment or link, don’t just reflexively click it. Even if you know the sender, ensure the link legitimately points to the online resource it purports to, or ask the sender to post the file attachment somewhere else, perhaps on an internal file share.
The Bottom Line
Organizations need security teams that can create and conduct user security training. Information security protocols should not be dictated as ineffable magic, but rather be explained to users in such a way that they can understand legitimate risks to the organization. It might even be wise to test users on the basics of information security.
While the traditional focus on external or perimeter threats should not be abandoned, successes on that front have brought new attention to the harder-to-address Insider threat. But unlike outside, malicious actors whose penetrations can be detected and often interdicted through surveillance and subtle analyses, the most effective weapon against the Insider threat is culture. Use 2017 to educate your users. Grow and develop an organization-wide information security culture based upon well-communicated strategies, vigilance, and trust.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Brad Bussie is an award winning fifteen year veteran of the information security industry. He holds an undergraduate degree in information systems security and an MBA in technology management. Brad possesses premier certifications from multiple vendors, including the CISSP from ISC2. He has a deep background architecting solutions for identity management, governance, recovery, migration, audit, and compliance. Brad has spoken at industry events around the globe and has helped commercial, federal, intelligence, and DoD customers solve complex security issues.