The following article was written by Jonathan Bohrer, CFO at Abacus Group, and originally appeared on Corporate Compliance Insights.
Addressing the human factor of cybersecurity
Most organizations’ security and data protection efforts are seriously lacking – particularly when it comes to the human element. Abacus Group’s Jonathan Bohrer outlines three components of a successful cyber compliance program: education, protection and monitoring.
Hardware, software, networks and protocols for cybersecurity generally perform at a near-optimal level for most enterprises. But what is lacking in holistic security and data protection is thorough education, training and monitoring of management and employees. Almost all phishing and malware breaches are attributed to human interactions on the internet.
With today’s remote workforce and frequent job changes, data transfers between arriving and departing employees pose security challenges that managers need to be better equipped to handle. Statistics show that the percent of virus click-throughs by employees at companies in successive phishing campaigns decreases dramatically between the first and second training and again to the third training, demonstrating that proper training is key to eliminating a huge source of cyber risk.
There are three core concepts that drive a successful cyber compliance program in an organization: education, protection and monitoring. This article illustrates the importance of each by relating them to things we experience every day outside of the workplace.
Don’t Play with Fire
As humans, there are certain things that occur in nature that we know to fear instinctively from birth. Children know instinctively to stay away from fire, water, lightning, etc. Young kids who don’t swim yet, generally don’t jump into the ocean or a swimming pool. Most young children run for cover when they hear thunder and lightning.
This instinct does not apply to technology and man-made contrivances. If something blinks, lights up or clicks, small children tend to go to it without hesitation. Any parent can tell you that if you put an iPhone in front of a two-year-old, they will, without hesitation, pounce on it and start swiping and clicking with reckless abandon.
Parents try to educate their children about restraint. Likewise, managers need to teach employees how to behave safely with all the online connections at their disposal in the workplace. This education requires a set of rules to govern behavior and a set of policies driven by best practices.
Moreover, managers need to create an environment that sets employees up for success from a security “toolbox” standpoint. Just like we protect our homes with security systems and smoke alarms, there is a basic “must have” set of cybersecurity tools in our workplace IT environment that should be in place. And active monitoring of the data generated by these tools is critical to a successful compliance program. What good is a home video surveillance system if nobody ever looks at it or the alerts that it generates?
Don’t Push the Big Red Button!
With apologies to the Men in Black, we have to teach our people not to push the big red button. There are tools to do this, ranging from phishing campaigns to general cybersecurity awareness training. While these tools seem like mundane, matter-of-fact corporate “check the box” exercises, they do in fact work. We see this in the results of phishing campaigns where employee click-through rate in an organization declines in subsequent tests over time, sometimes as much as 50 percent!
Arguably, one of the most important parts of a successful program for cyber compliance is creating a culture that emphasizes the importance of good cyber hygiene. This means that employees call each other out (in a friendly and professional way, of course) when they see risky behavior occurring. For example, “Hey pal, you left your screen unlocked again when you went to get coffee – the entire firm can see your trading strategy!”
Employ Industry Standard Tools; Set Firm Protocols and Policies
The list of best practice cyber appliances and related global policy settings across a firm is extremely long. An important note on policies surrounding cyber tools: People don’t like them just like they don’t like wearing a seatbelt or searching the house for the smoke alarm that is beeping because the battery is dead, but they do these things because they keep them safe.
The same goes with cyber policy. Certainly the busy and important portfolio manager does not want to have to change his password monthly on all of his devices. But this small inconvenience is all about risk management, and it’s a small price to pay to protect against a much graver financial alternative.
Some key important policies to keep updated and enforced include user access management, acceptable use and data classification. For example, does your firm have a password policy, required two-factor authentication and enforce a mobile device management (MDM) policy?
Monitor: Read and Interpret the Data
People are often shocked when they learn about some fraudulent account or unpaid creditor right at the time when they need to apply for a mortgage. Don’t be surprised if you have trouble getting credit if you don’t actively monitor your credit score.
The same logic applies to data generated by cybersecurity devices – if only this data were published in a neat, readable and interpretable format, like our credit scores! Security systems and appliances in action at most current firms are almost too long to list. These tools are primarily used as reactionary to an inbound threat. If configured properly and paired with good training and good policies as mentioned above, they do a good job of keeping us safe.
There is an incredible amount of value to be gleaned from proactive use of the data available from these cyber protection tools that is often overlooked in organizations. The best way to take advantage of this data is to assign someone to take the time to monitor and interpret the data from these devices. This is made easier if you employ a third-party IT services vendor who provides simple and accessible reporting to do so. The vendor should be able to provide file access reports (to ensure least privilege access), software and device inventory reports (so you can easily see which devices have access to your network) and distribution list management reports.
In conclusion, it is important for managers to remember that the powerful cyber protection tools at their disposal are only good if the workforce knows how to protect the organization while online – and avoid pushing that big red button!