Know your adversary is an old military tactic, but if CISOs are generals in a war it’s one they should take to heart.
That’s one of the pieces of advice from experts IT World Canada reached out to during Cyber Security Awareness Month. Here’s a round-up of other tips:
CISOs “have to start thinking like a hacker,” says Torsten George, cyber security evangelist at Centrify, which makes access management solutions.
About two-thirds of organizations suffer breaches of security controls, he pointed out. “The reason is a lot of people throw technology at the problem, but not do the research to figure out who’s behind these attacks, and what are techniques, tactics and procedures of hackers. If you know how they attack you, you can put together a defence strategy that really avoids falling victim to these attacks.”
A Centrify study found privileged account abuse through weak, stolen or otherwise compromised credentials was involved in 74 per cent of organizations that suffered a data breach, he says. So protecting those accounts, eliminating shared root accounts and mandating multi-factor authentication go a long way to lowering risk.
Rather than spend on firewalls or data encryption invest money in security awareness training, George says. However, he believes too many firms call staff into a meeting once a year, explain how phishing works, tell them to watch for lures and then wishes them “good luck.”
Employees have to see for themselves what an attack looks like, he says, which means CISOs have to do regular phishing tests — with consequences for those who regularly fail. “Just teaching (awareness) in a classroom doesn’t help. You have constantly test if they are applying what they learn.”
Make sure security awareness is embedded deeply in the organization’s culture, says Chris Bush, head of security at ObserveIT.
There has to be a sense that it’s not just the CISO who is expected to talk about cyber risk to employees, but that all leadership has the responsibility for education.
It’s important for management to understand that not all security incidents are malicious, he says. People who are careless or make mistakes with the software tools they’ve been given account are the cause of a large number of incidents.
Formal security awareness programs are vital, he says, along with understandable security policies. “We tend as policy and procedure writers to write for lawyers and not for employees,” he added. “So employees skim them and forget what their responsibilities are or things they should be looking for … Make it practical, things they can carry over into their personal lives.”
“People tend to think the issues and risks and adversaries we have today are complex,” he says. “But the majority of things that lead to mishaps are more simple. They tend not to be complex or crafted by nation-states but events that could have been prevented with simple controls or detection mechanisms or by general awareness.”
“Treat employees as humans,” says Frank Fazio, an IT leader who has worked for a Canadian municipality and has an awareness training firm called CySAT. “Explaining things at a personal level helps more than saying, ‘This is the policy.’
“By showing users how to secure their Facebook or Instagram accounts they go home and teach their friends and family, and it comes back to work. People tend to tune out when you say, ‘All employees should be doing this.’ If you can get your audience to understand how they can secure themselves in their personal lives, that will change the way they think and they will bring that to work.”
“It’s more than, ‘Don’t click a link.’ It’s getting employees to understand when they’re being manipulated. Show them what a fake web site looks like, to be wary of a UBS key on the ground or a phone call.”
It’s also warning staff that text and photos they post on social can help attackers.
And while many experts say organizations need to run regular phishing tests, Fazio says firms should reward those who pass the tests, not just discipline those who fail.
“We need to show employees they are part of the security team,” he says, “that they are the first line of defense.”
Prepare for cyber security threats, says Brett Hansen, vice-president of client software and general manager of data security at Dell.
“Taking the time to create a plan to prepare for a cyber incident will not only better protect your business, but it will help you recover much more quickly should an attack occur. At a minimum, your plan should answer the following questions:
- Where does data live in my system?
- Do I have backup systems in place?
- Where is my data stored?
- If an attack happens, what is my response plan?
“The simple truth is that bad actors are looking for easy targets. If you can make yourself even a little less desirable and a little harder to infiltrate, you’re much less likely to suffer from an attack. Writing down your cybersecurity plan is the best place to start.”
Encrypting your data may be the simplest and most effective way to protect your business, he adds, especially from threats like ransomware. Encryption changes your data into a code so that anyone who wants to read that data will need a key or password. Encryption is a fundamental starting point for protecting your data, making it much more difficult for hackers to access.
–Finally, the federal government’s Canadian Cyber Security Centre reminds infosec pros that earlier this year, it published the Baseline Cyber Security Controls for Small and Medium Organizations to help small and medium sized enterprises improve their resiliency.
To further explain these principles, the Cyber Centre has broken down the key elements of this guidance document into a series of short and concise blogs that introduce the baseline cyber security controls and explain some of the key pieces of advice and guidance.
One blog focuses on the importance of providing employees with cybersecurity awareness training. “The Cyber Centre strongly recommends that organizations both large and small invest in cyber security training programs for employees and to consider developing a cyber security training policy to ensure that employees are educated about common cyber threats.”