What can individual users do to preserve cybersecurity at work? Your organization is spending on cybersecurity tools, you have an awareness program, and if you look you will find that there are standards and procedures for choosing and maintaining products to help keep information secure. But what can an individual do?
Remember – you are the first line of defense. Be alert, be aware.
The problem is real, large, and growing.
In the first half of 2017, business email compromise (BEC) is one of the largest threats an enterprise must guard against. According to an FBI study published in May, global losses from BEC scams have reached $5.3 billion since 2013. There is no reason to believe this will slow down. It makes money for the scammers. Many businesses are reluctant to report these problems, as they fear the negative impact the report would have on their reputation.
Figure 1: Most commonly forged source of business email compromise attacks
Figure 2: Most common target of business email compromise attacks
The response requires comprehensive, coordinated effort.
Effective workplace security does not happen by accident. It requires oversight and guidance. It requires policies. Those policies must be taught. The Chief Information Security Officer leads the policy creation and education efforts. The CISO argues for budget to support that policy development. The information security program requires standards. These standards should include the baseline set of controls, and the decision-making process to enhance certain controls based on additional risk. The CISO leads the technical team developing these standards, and works with IT, HR, and site security to integrate them into the organization’s procurement, development, and operations processes. The information security team must have procedures for detecting an issue, handling a breach, remediating the consequences of the breach, and informing interested parties about the problem and its solution. The information security team, led by the CISO, should have relationships in place with key third party suppliers and with the appropriate law enforcement organizations. The worst time to build a relationship with investigators is after a problem has happened.
Most important, your employees must buy in to the program.
When you design your awareness program, consider this model to validate your program’s effectiveness. Imagine an employee of your organization walking down the hall and he or she sees someone doing something on their computer that might be wrong. Ask yourself three questions about that employee.
If the answers are “yes,” “yes,” and “yes,” your program is effective. If there is a “no” in there, your program will fail.
If the individual does not know what constitutes poor practices, she will not recognize it, and will take no action. This is the core of information security awareness.
If he or she decides it that she will not report it, even knowing it is wrong, the program will fail. Perhaps he or she heard that someone else once reported a problem and now that individual is ostracized. Maybe they spoke with her manager who said “Yes, this is a problem, but the other person is not in our area so we shouldn’t get involved.” This is a test of the organization’s culture.
If he or she does pick up the phone, but the person at the help desk does not know what to do, then the program has failed. This tests the organization’s procedures.
Notice that these results are independent of the technology the organization deploys. Technology matters. Investment is a necessary but not sufficient condition for successful protection. But without the right level of awareness, the right culture, and the right processes to reinforce that culture, no level of investment will succeed.