Organizations Should Look for Ways to Involve Employees in Mitigating and Eliminating Threats Before they Happen...
If I have learned anything over two-plus decades in this industry, it’s that you can’t leave security as the sole domain of just a few and expect to be successful. As threats and vulnerabilities continue to evolve, it is incumbent upon organizations to empower all of their employees to take an active role in their own network security. There are still too many who mistakenly view security as a point-in-time activity rather than a process, leading to a breakdown in the level of vigilance needed in order to create an effective security culture.
So how do we combat this behavior and get everyone thinking more seriously about security? First, put the data in the hands of everyone. Security shouldn’t be a secret. While I fully understand and expect that certain aspects of protocols and architecture will remain confidential, this doesn’t mean that users shouldn’t be educated on security best practices and instructed on how to recognize and prevent malicious behavior. By doing this, you are encouraging a culture of better oversight and vigilance where all users feel enabled and compelled to act as though they were the security managers.
Next, place the emphasis for better security where it belongs, in the business unit and with the front line managers. Expecting security teams to decipher what is critical vs. non-critical data travelling across the network can be a recipe for disaster. While certain behaviors and patterns can emerge that will alert the security pros that something is amiss, those with intimate knowledge of what data should be exiting the company and with whom their employees should be communicating, can provide vital protection in preventing the loss of critical data. Better communication amongst the IT teams and the business managers is a must for companies serious about ramping up their security efforts.
Finally, stop treating security solely as a technology problem. Can it help? Of course, but relying completely on your security solutions to catch everything is a risky proposition. Let’s use a simple comparison to drive home this point. Would you create an important document and submit it relying only on autocorrect to catch any typos or mistakes? Of course not, during the creation of the document you would take great care in crafting it as close to perfect as possible using the built-in protections only as final form of review to prevent mistakes. The same approach should be taken to network security.
Employees should not have the attitude nor given the impression that it is okay to engage in risky online behavior because the company has technology in place to catch any problems. As I alluded to in my last column, The Human Side of Security, employees will always be the weakest link in the security chain. Training them to approach things through the lens of a security manager is the best first step that organization can take to minimize the number of threats the technology and security teams should be expected to mitigate.
A 2012 report authored by Booz Allen Hamilton titled, “The Vigilant Enterprise” discussed how security has become more complex than simply relying upon technology. The report (PDF) states: “Simply building stronger firewalls and other perimeter defenses is insufficient. Cybersecurity’s multi-dimensional challenge requires a comprehensive management approach to enable an enterprise to oversee and coordinate all elements of cybersecurity, including policy, operations, technology, and people.”
Technology, as important as it is, continues to represent only one-quarter of the security puzzle. Organizations that are serious about security are recognizing that it’s the way in which they conduct their operations and how their people act that will ultimately define the success of their security programs.
Essentially what I’m advocating for is an organizational approach to a cyber-neighborhood watch program. A quick check of the USAonwatch.org site tells us that a neighborhood watch program is a crime prevention program that stresses education and common sense. It teaches citizens (or in our case Internet users) how to help themselves by identifying and reporting suspicious activity in their neighborhoods (networks). In addition, it provides citizens/users with the opportunity to make their neighborhoods/networks safer and improve the quality of life. Neighborhood watch groups typically focus on observation and awareness as a means of preventing crime. And just as police advise with actual watch groups, don’t take matters into your own hands, call the police if you see something suspicious. I would say, be vigilant, and call in the security professionals when you notice something that isn’t quite right. But by everyone being aware, you are making that job that much easier.
I would encourage all organizations to rethink their approach to security. Rather than focusing on employees as the problem and IT as the solution, look for ways to involve your users in mitigating and eliminating threats before they happen. A measure of education and a bit of empowerment amongst the user base can go a long way in unlocking the security manager in all of them.