“Crampons make it easy to climb the ice without slipping,” says a guide to scaling Vatnajökull, Iceland’s largest and most majestic glacier.
Easy to climb? Really? I nearly lost my life ascending that ice cap when one of my crampons popped off my boot. (Thank goodness for carabiners!)
Which brings me to Cybersecurity.
Much like climbers must see the “bite” in Vatnajökull’s mesmeric beauty, CISOs must see the threats in otherwise sublime landscapes of workforces that are always on, always connected. I don’t mean just obvious threats like malware, IoT attacks, spear-phishing, session hacking, and the rest. The need to avoid these dangers goes without saying.
I’m talking about the single greatest threat to corporate cybersecurity: naiveté. Blind faith. The tendency to evaluate your cyber protections over-optimistically, through “rose-colored glasses.”
In the context of cybersecurity, naiveté is the expectation that employees will follow security policies assiduously; that they’ll be consistently cyber-vigilant by recognizing ransomware when they see it, identifying spear-phishing when it happens, managing their passwords responsibly, operating sensibly on social media, and protecting sensitive information like log-in credentials.
This is a dangerous supposition, akin to climbers forgoing carabiners because, after all, how could crampons possibly fail while scaling a glacier’s jagged contours? Just how faulty is the assumption that employees will conduct themselves cyber-vigilantly at all times? Exceedingly! 95% of all cyberattacks result from human error, with each attack incurring an average cost of $150 million.
With cyberattacks expected to cost businesses more than $2 trillion in 2019 alone, it’s little wonder that global cybersecurity spending has already grown 35X over the last 15 years and is expected to top $1 trillion by 2021.
What is all this money being spent on? New technologies to replace new technologies that turn vulnerable overnight. Consider continuous authentication – post-authentication security technology developed to replace two-factor authentication (2FA) when the latter turned susceptible to devious workarounds like SIM swapping and password-reset processes that bypass 2FA.
Continuous authentication combines continual monitoring of user activity with advanced biometrics, machine learning, and crowd-sourced data to produce a security system that vastly improves upon traditional login techniques.
Think of it as AI-infused continuous security.
To Achieve True Continuous Security,
Address This Question First: Where to Start?
For all the talk of cyber-risk assessment and cyber training, most companies fall short of adequately protecting themselves because they fail to properly address what should be question #1: Where to start?
Where to start when seeking to understand the cyber-security landscape, develop a governance framework, and create a cyber-vigilant workplace?
Ask experts and influencers where to start, and some will tell you this: Make cyber-vigilance “part of the culture.” Instead of focusing on policies or patching or training programs, they say, start by making cyber-vigilance an “everyday thing.”
Making cyber-vigilance part of the culture is certainly the goal, but it’s far too ambitious to serve as a starting point (or even a mid-point, for that matter). That would be like calling “scale” the starting point of a company!
Like scale, “cultural cyber-vigilance” is a goal and not a starting point.
So, where to start? And how to start?
Start not at the company level, but at the individual level and the Board level – because if the Board doesn’t understand cyber risk, the investment at the individual level won’t be made.
Why must cultural cyber-vigilance start at the individual level? Because the $120 billion companies will spend cumulatively on cybersecurity this year – largely to secure corporate networks and devices – will do nothing to prevent random workers from being tricked by phishing attacks and other malicious intrusions.
In fact, you could argue that massive spending to secure corporate networks has encouraged cyber-criminals to target workers as their only remaining points of entry, typically through phishing scams. And the scams have only become more sophisticated: Once chosen randomly, workers are now targeted by cyber-criminals specifically for their access to sensitive corporate systems.
So how to start sensitizing companies to cyber-vigilance at the Board and individual levels?
Here are a few things I recommend:
At the Board level:
- Ensure that at least one person on the Board’s Risk Committee understands cyber risk and makes threat detection and prevention perpetual action items, with high-level metrics to set benchmarks and measure progress.
- Leverage an acknowledged cyber framework (NIST) to enhance the cybersecurity decision-making process. This includes a direct communication channel between the Board and the CISO.
- Conduct an independent assessment to pinpoint vulnerabilities (i.e., managed vs. unmanaged devices; web apps; shadow IT inventory; EDR, etc.)
At Individual Level:
- Identify IT and system administrators and establish approval workflow to prevent a single point of failure.
- For large financial transactions, use a multi-factor authentication system or a verified approval process that goes beyond an email or phone call before initiating any significant transaction or change.
- Make Cyber Risk awareness program a mandate for each employee.
- Educate employees to be alert to suspicious emails, links, and attachments.
- Teach employees to protect their passwords, to never store them on a browser, and to select a strong password and replace it regularly.
- Educate employees not to share their passwords, account numbers or any other private information via email.
- Teach employees the difference between a secured website and an unsecured one.
- Have employees configure email client to view emails as “text only” will protect you from scams that use HTML in emails.
- Teach employees not to use removable media (USB thumb drives, SD cards, iPods, MP3 players) for private data or/and sensitive information.
- Require employees to make sure that their PCs and servers have up-to-date firewalls.
- Require employees to install antivirus and anti-malware software to prevent viruses.
- Implement intrusion detection and prevention systems to monitor threats.
- Secure Wi-Fi with robust login credentials and encryption.
- Arrange for frequent backups to be performed.
- Enforce user authentication with strong password protocols.
- Require digitally signed confidential emails. The digital sign adds an important layer of security to emails and helps receivers ensure that scammers don’t alter email content during transit. You can use SSL/TSL certificates to sign and encrypt emails.
- Employ a sender policy framework (SPF) – an email authentication/validation tool designed to detect and block spoofed or forged emails.
- Develop a scalable security framework to support all IoT deployments.
- Monitor third-party access to your data and limit the scope of access.
How to get your organization CyberFit? Start by “cyber-fortifying” select Board members and individuals.
These exercises offer a great start.