Are you doing enough to involve users in your corporate security program?
Maximizing the effectiveness of your corporate cybersecurity program
Written by: Mark Spangler, CISSP PMP
Many organizations choose to approach their cybersecurity challenges with the purchase of a multitude of software and appliances. It is not uncommon for some enterprises to maintain well over 50 or more separate cyber tools that constitute their organization’s cybersecurity program. Yet, these organizations, some of which are technology giants with multi-million-dollar security budgets do fall victim to criminal exploits just as do small enterprises. How then can organizations maximize the effectiveness of their security programs without spending their organizations into financial ruin, chasing the elusive goal to secure their enterprises and data?
What is outlined in this article are recommended focus areas that can be used to maximize the effectiveness of your corporate security program? These suggested areas focus on exploit methods and gaps that are being used by criminals to breach corporate systems.
Building a corporate culture that embraces security can be a difficult task in many organizations. However, including all employees and vendors as active participants in your security program is one of the most cost-effective methods to raise the overall corporate security posture. Employees who are invested in the mission of the company are more likely to be strong assets in protecting business continuity. Here are some questions to ask about your program:
- Does your program include an active role for users/employees?
- Each employee must have a clear understanding of their role/responsibility to protect the mission of the organization.
- Each employee’s role must be codified and outlined in detail in your corporate security program plan. Are individual security responsibilities outlined in user agreements, employment agreements?
- Employment agreements are an important element to ensure employees understand the responsibilities of the organization and those of the individual employee. These form a contract between employee and company and are critical in building the foundation of a company’s security culture.
- Are consequences of non-compliance outlined? As with any contract, the agreement with employees must contain clear expectations for each party and the benefits and consequences of non-compliance. This serves as a condition of employment contract enabling the company to make retention decisions based on employee suitability and adherence to security procedures. Employees who cannot or will not adhere to protection efforts do present an increased risk to business operations.
Employees most often do not inherently know the best protection steps they can adopt at work or at home to stay vigilant against cyber exploitation. One of the best approaches for having employees consistently apply security discipline and adopting a culture of security is to give them skills that can be applied both at work and at home. This is critically important today, as many organizations have vastly expanded their remote workforce. First, I am recommending as we did with inclusion above, to take an honest look at your employee education program by asking the following questions:
- What does your education program look like?
An annual mandatory review of a PowerPoint or video is most likely not getting the response we need in today’s environment. To instill a culture of security, user education needs to be a daily discussion that includes many “SO WHAT?” questions that address the WIFM or “What’s In It for Me” for each employee. Many programs I have reviewed simply focus on the compliance steps such as password length/reset, log-on/off, often failing to address the current threat environment, the mission impact to the organization, and the personal impact on employees and their families. These are key factors in building the foundation of security culture.
- Is your program challenging and interactive?
I have seen programs that would be best described as “Death by PowerPoint”. We need to keep in mind that over 90 percent of cyber exploits involve some action or inaction by employees. These exploits are often categorized as cyber-enabled social engineering, which reinforces the need to focus on employee awareness. If we focus our program on buying cyber tools instead of user education, it is tantamount to spending more on damage control vs prevention. An organization’s highest return on investment comes from the development and implementation of a challenging and interactive security education program that can engage employees each and every day.
Bounty Programs – Making It Better:
Many larger application/software development organizations today have some type of bug bounty program. These programs award, often with cash, individuals who identify exploitable vulnerabilities in their software so that product can be patched and improved on an ongoing basis. Lately, this program has been adopted by other business sectors leading to similar vulnerability hunts in the automotive, airline, satellite, and critical infrastructure sectors. This model of rewarding individuals who are skilled enough to see the flaw in the armor can be adopted by almost any industry. These programs are certainly not new; these were formerly limited to employees and called suggestion programs. The challenge today is to build on those suggestion programs, expanding them to reward employees who spot and report process gaps, exploit attempts, and any flaw they consider a threat to the business.
Not all corporate vulnerabilities are IT-based. Many of the cyber-enabled social engineering exploits take advantage of gaps in corporate processes. These types of exploits have successfully stolen hundreds of millions of dollars from companies over the past few years. Providing employees with the opportunity to make corporate processes better can have a significant return on investment for operating a vulnerability bounty program and reinforce a culture of shared responsibility for the business mission.
It has been said that no plan survives the first contact with the enemy. Mike Tyson is credited with the variation, “everyone has a plan until they get punched in the mouth.” Plans are important as they document what steps are required in almost any endeavor. However, plans that are never exercises most often fail upon the first attempt at implementation or that “first punch in the mouth”. Certainly, having a business continuity plan is important. But, a plan that is never exercised is useless.
Plans that do not involve the entire organization are also ineffective as many responding will not know their individual responsibilities at the time of crisis. Successful companies include the entire employee body into business continuity planning and exercises. This process of inclusion reinforces the security culture and the shared responsibility model. Below are just a few examples of real-world events that require quick response to ensure mission resiliency or business continuity. If your company and all its employees do know precisely what their first, second, and third steps need to be when facing an event; congratulations, your company is in great shape and in a very small minority. These companies may even have drafted and coordinated press releases prepared for when the event does happen. For all others, read on.
- Power outage/recovery from backup
This is probably the most common business-impacting event that will damage business continuity. Power outages in some areas are common, and these companies live through the event, essentially exercising their response on an ongoing basis. Organizations that have never had a mission impacting power outage may struggle with knowing how to proceed. These companies are best served by an ongoing exercise program to simulate outages. During these exercises, each direct, secondary, and tertiary impact can be mapped to the appropriate action/reaction.
- Ransomware Attack
Ransomware attacks are one of the most mission-impacting exploits currently plaguing a diverse set of business sectors. In the past year, ransomware actors have exploited local/state government, education, fuel distribution, manufacturing, health care, and even law enforcement. If your company has not exercised a mock ransomware attack, I would be concerned. At a minimum, your organization should be performing limited tabletop exercises (TTX) where events are introduced to the company leadership and the steps, questions, or gaps identified. These TTX’s can rapidly identify issues such as public affairs, press releases, corporate communication plans, legal considerations, federal reporting requirements, and more. TTX’s are a resource-efficient method to document and test an organization’s business continuity plan. Having your entire organization aware of their individual responsibilities when events do happen can be a significant competitive advantage.
Be on guard for the magic box vendors, single pane of glass claims, artificial intelligence, machine learning, cloud-enabled, zero trust, and a host of other buzz words you will be bombarded with by eager sales representatives. Know that your organization simply cannot spend enough money to reduce your corporate risk posture to zero. You can literally spend every cent in your corporate coffers and still fall victim to cyber exploits. The recommendation is to close the checkbook for a moment and take a step back to really examine if your organization is taking full advantage of your whole organization and its most valuable asset. Many of the strongest and effective parts of a healthy organization’s security program are already employed by your company. Harnessing the value of those employees by making them an integral part of your protection posture is the goal. To be good stewards of corporate resources, getting the full value of your best and most effective asset would/should be first on the priority list, well ahead of purchasing the latest and greatest Swiss Army Knife security tool to bolt onto your other 50 tools.
Contact us to learn more about protecting your organization.