A client of mine recently discovered that a competitor had breached the client’s network. For an extended period, outsiders were freely accessing the client’s proprietary sales information.
It came as quite a shock. Members of the client organization thought they had done everything right by investing time, money, and thought into perimeter security, tools, and processes. Unfortunately, they neglected the “people” aspect of security. By that, I mean social engineering, which is the trick hackers use to crack into networks by manipulating naiveté and the natural human impulse to be trusting. It is one of the most commonly used network-infiltration tactics.
It seems most likely that someone inside the organization facilitated the competitor’s access in a way that was difficult to detect let alone prove. Afterward, my client closed the gap in its processes and dealt with some of its people issues, but it learned the key lesson the hard way. When it comes to security, you can never be too prepared.
For an extended period, outsiders were freely accessing the client’s proprietary sales information.
We tend to view security through the lens of technology and process, but in so doing, we too easily overlook the pivotal role of the human factor in the security value chain. What are the best ways to head off that problem?
- Awareness. Awareness is the number one defensive measure. Make sure your employees understand the social engineering threat. It is also important that you stay up-to-date on evolving social engineering techniques and trends. Perpetrators constantly reinvent themselves.
- Engage the whole of business. Security is not only the job of your IT staff. Your securityawareness campaign should not fail to include your executives. These self-professed “luddites” may be your greatest danger and vulnerability.
- Follow a disciplined strategy. If you don’t have a strategy, find one. I have my clients start with the four steps to cyber security, as outlined in Deloitte’s 2014 handbook, Cyber Security: Empowering the CIO, which directs them to follow a more disciplined and structured approach.
Corporate officers are every bit as responsible to stakeholders as the chief information officer.
At a high level, the four steps the handbook outlines include:
- Being prepared. This is the strategy of achieving “security through vigilance and resilience.” It involves establishing a process of monitoring, planning and testing, response, and insurance.
- Setting the bar. This is the strategy of achieving “security capability by design.” It involves establishing a risk-based and business-aligned security strategy, identifying and protecting valuable assets, and aligning architecture to ensure that a security strategy can be achieved.
- Getting the basics right. This is the “security by control” step. It includes setting access protocols, conducting regular patching, managing vulnerable files, securing essential systems, and conducting regular testing and root cause analysis.
- Establishing personal protection. Deloitte describes this as “security through behavior”— cultivating continued security awareness, leading from the top, and making clear the consequences of bad behavior. It also encourages the adoption of security practices at home.
Deloitte’s handbook is based on the premise that executives and board members must have “skin in the game” as it relates to cyber security. Corporate officers are every bit as responsible to stakeholders as the chief information officer.
A final thought: I’d invite you to mull over one additional element of the human factor as it relates to data and network security. A bad management style can create a disgruntled employee; that person might quickly be transformed from a loyal worker into a datasecurity threat. Likewise, an underpaid, underappreciated staffer might give in to temptation and hand over data in a bid to curry favor with your higher-paying competitor. My point is that by being a good leader and people manager, by being good to your people, you are contributing a not insignificant element to a holistic data and network security strategy.