It’s essential to learn from recent mega-attacks how to better improve our security and mitigate cyber risk. Key to this is an understanding by each and every individual and employee that they play a part. The now-tired expression “security is not just IT” has never been more relevant with the increasing use of ransomware, business email compromise, and social engineering. You don’t need to be a cyber expert to practice responsible behaviors, and ignoring threats or thinking that it’s someone else’s job to prevent them creates unnecessary vulnerabilities that otherwise could be prevented.
The underlying theme in several of the headline-grabbing breaches this year is that they could have been stopped with relatively simple methods. For example, the WannaCry attack and the Equifax breach both exploited vulnerabilities that would not have existed had proper patching taken place. While this may seem like an IT department failure, it may actually be indicative of a lack of organizational cybersecurity culture, which should be promoted at all levels, proactively managed, and funded.
Week two of National Cyber Security Awareness Month (NCSAM) promotes the concept that cybersecurity in the workplace is everyone’s business – and stopping threats requires a unified approach. Secure Halo is a NCSAM Champion, and as such, we have provided four ways to mitigate cyber risk to help combat the most common threats.
- Understand the role of HR, finance, and legal in cyber
Cyber risk needs to be addressed in a cross-functional manner that goes beyond just the IT department. Otherwise, organizations can potentially put themselves in dangerous situations. For example, if one department unilaterally signs an agreement with a third party – like a cloud provider – without input from both the IT and legal teams, they are willingly accepting the risks and vulnerabilities that the third party possesses. Neglecting to collaborate with other departments and review the cybersecurity practices of a vendor or the legal language of the contract can be the difference between being a headline tomorrow and avoiding threats/risks entirely.
A collaborative approach to security that spans several domains is necessary due to the multiple ways adversaries are capable of accessing systems, such as sophisticated fraudulent emails that mimic payment instructions from a chief financial officer or which encourage undiscerning employees to click links. The basic cybersecurity plan of any organization should be to anticipate enterprise threats by assessing its unique threat profile and developing appropriate training and responses. In order for this plan to be successful however, it must be integrated across the enterprise and not kept in a silo. We recommend creating a cybersecurity steering committee or working group which includes representatives from each department.
- Create an incident response team
Waiting until after a breach has occurred to determine a course of action is a waste of time and money. Bouncing back as quickly as possible is crucial to both preventing business interruption, as well as maintaining customer loyalty, hence the need to prepare in advance. At a minimum, here are four things that an incident response (IR) plan should include:
- Define the organizational structure of your IR team. You need to figure out which members are part of the team and what exactly is expected of them. Also decide which parties will need to be alerted during an incident, and specifically under what circumstances they need to be contacted.
- Determine what is considered an incident – and what isn’t. In other words, figure out what standards must be met to advance something from an event (which can be routinely handled) to an incident. Also consider the type of attack when determining next steps – is your response altered for a DDoS attack versus an insider leaking information or a connected third party who has been breached? Definitions vary from organization to organization, so prepare in advance and decide what works for you specifically.
- Follow an IR framework. Clarify what organizational steps need to take place during every stage of your response to the incident. For example, step one is to log events into a ticketing system, which is followed by a specific member of the team evaluating each one. If it is determined that the event be deemed an incident, the IR team is then activated and predetermined business officers are notified, etc.
- Create a documentation methodology and repository for every incident. This will help you learn what worked successfully and what did not. The repository should include after-action reports (AAR) and root cause analyses that occur once an incident is closed.
- Encourage employees to flag potential cyber incidents
In an ideal world, employees would report all anomalies, like social engineering attempts or insider threat red flags, but we shouldn’t assume that everything will be reported. Notification from employees shouldn’t be expected to replace systems that detect, monitor, and mitigate threats, like firewalls, intrusion detection systems, well-designed networks, secure ports, logs of device access to the network, and rule based log analysis.
However, relying on these systems doesn’t mean employee reporting should be ignored or that it’s only one person or department’s job. If you identify a threat indicator, you can’t sit back and think that a colleague will also see it and report it, or that it isn’t your responsibility to do so. Effective cybersecurity requires a team effort, so ensure that you are doing your part to keep your organization safe.
- Frequently test your systems
It’s not enough to put processes in place and think that you are protected. You need to test your systems to ensure they are doing what they should be. When you do test, make sure to include stakeholders from multiple departments like security, IT, and human resources at a minimum. Consider also including social engineering in the test, both the classic type (i.e. asking someone to hold the door and following them inside a secure space) and the digital version (i.e. phishing emails).
While testing is important, it’s not sufficient to simply perform a test and read a report. Instead, conduct an AAR in which you discuss what went right and went wrong during testing, as well as how to correct any mistakes moving forward. This will help improve your systems and bolster your organization’s security.
The business reasons for addressing cybersecurity in the workplace are obvious. How to get all employees proactively involved is a challenge many organizations are just starting to tackle.