As this is the start of Cyber Security Awareness Month, I think it’s appropriate for us to think about the security characteristics of the heart of our organizations – Our people.
Over the last several years an increase in data breaches has forced many organizations to take a hard look at their overall security strategy and investments. Part of the challenge is determining where to sprinkle the investments made. For example, traditional anti-virus software while still very important is clearly inadequate when trying to prevent sophisticated malware from extracting sensitive information from your organization. There is also a notion that the perimeter no longer exists with organizations taking advantage of cloud computing services in order to reduces cost and more importantly accelerate their business. Lastly, I often hear the comment “It’s not a matter of IF you’re breached but WHEN” meaning that organizations should better prepare themselves for the inevitable breach by having a solid incident response plan and the ability to run necessary forensics after an event has occurred.
While sophisticated technology can help us raise the bar in terms of security posture there is a lot of low hanging fruit we can pursue in parallel. An approach that comes to mind is to create company sponsored simulations of an organization under attack, a fire drill if you will. This brings me back to the Robert Redford movie from the 80s, Sneakers, where his team is hired to test the physical security of an organization. One of the key differences I see between traditional penetration testing and simulating an attack is that pen testing typically generates a static report with the intent of plugging any holes discovered. A simulated attack on an organization will help provide a clear understanding of existing security measures and the effectiveness of the incident response plan. Another key benefit is this approach can educate users and encourage more appropriate behavior. If data is stolen in a simulation because an end user or even an administrator fall prey to malware (email or website link) or even social engineering, there is a great opportunity to educate by example. No one wants to be known as the person responsible for losing valuable corporate information and these simulations can significantly reduce misbehavior without having to pay a costly price along the way.
It’s no surprise that most compliance standards and security regulations require education as part of the solution, we as security professionals need to embrace the fact that our people are our areas of highest risk, and enlist them in the cause of protecting their organizations and their livelihood.