Most organizations focus on software and systems that promise to harden their defenses against external attacks. While it’s crucial to have a sound cybersecurity program in place, it’s important to ensure that you look inward as well as out. After all, most security incidents and data breaches are caused by human error in one form or another. In fact, many studies have reported that the human element, negligence, and not malicious intent, is responsible for over three-quarters of all beaches.
People work round-the-clock nowadays, on a range of different devices and from many different locations, making security more challenging. According to a report from PhishMe, 91 percent of cyber attacks that lead to a successful data breach began with a spear phishing email. There’s also the risk of malicious insiders, misconfiguration of servers and tools, and simple mistakes, such as including the wrong person in a sensitive email chain or leaving a laptop on a train.
Maintaining any organization’s security should be a shared responsibility. Everyone must pitch in, but before that can happen you need to establish a solid foundation to build upon.
Set Procedures and Educate
You must begin by assessing your current cyber posture and calculating acceptable risk levels. Map your valuable data and processes and focus resources on protecting them. Consider regulatory requirements and compliance as you draft a clear set of instructions for precisely what should happen in the event of a specific security incident.
The workforce must be educated about your procedures. They need to know exactly who to contact and what information they need to provide if something happens. Whether they realize they’ve misconfigured a system and allowed unauthorized access to sensitive data, or they merely suspect that by clicking a link in an email their device may have been infected by malware if they have a clear set of instructions to follow you have a much better chance of limiting damage.
Procedures should include time limits for alerting the right people and expectations for further investigation and remediation. Every incident that does occur should be treated as a learning opportunity and so procedures must evolve over time as you learn what works best. It’s vital that the workforce understands the potential repercussions of ignoring signs – attacks are inevitable but reacting swiftly can dramatically reduce the impact.
Employ Security Awareness Training
Many employees are simply unaware that their behavior is risky. Cyber attacks are also constantly changing and growing more sophisticated. Proper security awareness training is essential. This should cover everything from security hygiene with passwords, to links and attachments in emails, to unverified requests that come through social media accounts. There are lots of resources out there you can draw on, such as National Cyber Security Awareness Month.
Tools and filters can be an enormous help here, but it’s important that employees learn to work in concert with your defenses to detect threats and respond in a timely way. Ensure that they’re aware of the tools they have at their disposal, where to turn when they’re uncertain about something and encourage them to think about and discuss security issues.
Security-related risks are reduced by 70 percent when businesses invest in cybersecurity training and awareness, according to this report.
Test and Retrain Where Necessary
In a perfect world, having clear procedures in place and training your workforce would be enough, but you can’t afford to take it for granted. The only way to be sure that they have absorbed the right information is to test them. Mock phishing emails or other attacks that employees have been trained on can be employed to find out whether they’re following procedures correctly.
When people fail to follow their training or don’t alert the right colleagues in the event of an attack, they need to be sent for further training regardless of seniority. In some circumstances, disciplinary action might be necessary. Good security hygiene should be highlighted and rewarded with praise. It’s important to encourage secure thinking as part of your culture, so employees can support each other and work together to prevent problems.
The actions described above, mostly focusing on training and procedures, are only part of the solution. With the understanding that employees are, in fact, the weakest link, what else can the CISO or SecOps do? What types of controls can you put in place in case there is a lapse in training or procedures?
Your best practice is to automate as many of the technical controls across your hybrid environment as possible. For example, strong password policies and a zero-trust model that locks down privileges according to role. This is coupled with auditing of all user actions and the deployment of auditing tools such as user behavioral monitoring. And, these controls must be enforced on all assets within the organization – on-premise hosts, endpoints, and the public cloud.
A good starting point is the CIS, responsible for publishing a set of benchmarks that reflect industry best practices across a wide set of operating systems, critical enterprise applications, containers, and even public clouds. This last set of evolving benchmarks is important given the move to the cloud, the sheer number of events and services that may be monitored, and the negative and many times highly publicized impact on the organization of a breach.
Building on the earlier CIS benchmarks for AWS, Azure was released in the winter of 2018, and Google Cloud followed at the end of summer. These benchmarks provide a good baseline as to what the critical services where automating technical controls is required. Assessments cover identity, storage, compute, networking, and other common services, permitting organizations to focus on those services that matter most. And, via automated remediation, AWS Lambda functions as an example, an enterprise can quickly identify those services that are or have become insecure, and quickly remediate.
People, processes, and controls. These three interlocked factors intertwine to maintain an organization’s security posture and map to Gartner’s recommendations on developing and maintaining a cyber-secure workforce. The same document also outlines a set of best practices that any organization can implement. However, good security practices cannot be imposed by a CIO, CISO, or IT department directives, and can’t only be a top-down mandate. These individuals and groups must lead the organization’s cyber posture, drawing on industry best-practices, benchmarks, their own personal experience, while fostering employee buy-in and understanding. Closing this loop will create an environment where everyone takes responsibility for cybersecurity in the workplace.
About the Author:
Bashyam Anant leads product management for Cavirin where he has spearheaded Cavirin's CyberPosture Scoring algorithms, golden posture remediation, security monitoring, and machine learning initiatives. A seasoned product leader in large-scale data/content platforms, machine-driven insights and data integration, he has driven 20+ products, $300M in annual revenues and 5 machine learning patents. Most recently, he led product management at Veritas for a portfolio of Information Governance products that help organizations derive Machine Learning-based insights from and act on petabytes of unstructured data. Prior roles include Yahoo!, Flexera Software, and Deloitte Consulting. He holds a Ph.D. in Operations Management from UCLA and a B.Tech. in Mechanical Engineering from IIT Delhi.