As you may have read, there is growing acceptance that technology alone cannot address the myriad cyber threats that confront organizations.
This realization is driven by the growth of several complementary issues: the number and scope of cyber attacks, the widening range of victims, the use of social engineering and the empowered role of the insider.
Organizations having the greatest success in preventing attacks (and enduring those that do occur) are employing a holistic approach to cyber defense. A holistic approach incorporates technical, human and physical factors that are relevant to the detection, prevention, and correction of cybersecurity vulnerabilities.
There are very good reasons for expanding your cyber defense beyond technology. First, every cyber attack was planned and executed by a person. Second, most attacks target a person for access. Finally, while there are technological fixes for single problems, none exists for all problems.
Central to this issue is the age-old balance of security and efficiency. To make good use of the efficiency and convenience that computers and the Internet offer, we open up access to our organization and ourselves. This greater sharing of access means that we’re forced to rely upon humans to exercise good judgment. As we know, judgment is one of those things that technology can help with, but cannot be solely responsible for.
So, even though we may wish to apply purely technical solutions to what we generally view as technical problems (computers), a growing set of case studies are demonstrating that even the best technological solutions can be rendered ineffective by improper human action. The good news is that proper human behavior enhances the capability of these same technological defenses.
The question then becomes what to do to harden your technology, your personnel and your physical defenses so that they work together. The cliché “the whole is greater than the sum of the parts” truly applies in cybersecurity. To be successful in combating cyber threats, an organization needs a holistic cyber-defense strategy that incorporates all three domains and is integrated into their broader risk management process.
The Holistic Approach to Vulnerability Assessment
Let’s begin with the cybersecurity assessment, which identifies an organization’s vulnerabilities, determines its overall cyber resiliency, and creates a security baseline to measure against.
While most assessments focus solely on technical aspects through penetration testing or checklists, the human and physical factors are arguably just as important. By viewing the organization as an association of people and processes within a physical domain rather than just a series of devices on a network, you gain a far more accurate perspective of an organization’s defensive capability and resiliency. With that information in hand, you’re better positioned to create viable solutions.
To do this, you need to assess the strengths and weaknesses of an organization’s security culture by analyzing its leadership, HR policies and practices, IT governance, physical defenses and the cybersecurity awareness and accountability of its staff, its partners and contractors.
At the end of the day, a positive security culture can be the single most valuable defense against advanced persistent cyber threats.
Identifying Sensitive Information
The logical first step of the assessment process is to identify critical assets that would harm the organization if they were stolen, altered or made inaccessible.
While intellectual property, trade secrets, marketing plans and the private data of clients and employees are obviously sensitive, there are many other bits of aggregate data that are valuable to outsiders for their own use or for sale to others. As it is far easier to protect a few things rather than all the things held by an organization, the key is defining what is truly worth protecting.
It is worth taking time to get this right, as it will impact almost every decision made in your cyber defense strategy.
Access is Broader Than You Think
Once you have accurately identified your sensitive information, you need to determine who within and outside the organization has access to it. Most organizations are surprised to find this to be broader than they imagined. Access held by partners, vendors and contractors is often overlooked in the rush to streamline business processes.
Access is also the area where the physical domain intersects most predominantly with cybersecurity. If an attacker can steal or alter your data simply through physical means, the damage is the same as if it was accessed technically. This is particularly true if an attacker wants to deny you access to your data, which can be done by damaging or destroying servers and network infrastructure. Thus, physical access must be assessed, evaluated and hardened just as technical and human access.
The Need for Cybersecurity Governance
The first step in hardening your defenses is by creating and disseminating concise ground rules and accountability. People need to know what they should and shouldn’t be doing and what the ramifications are for negligence or malicious action. Cybersecurity governance is the best way to do this. Governance is a critical element of cybersecurity awareness, and is the defensive building block upon which all other security measures rest.
As more cyber breaches result from a user’s inadvertent action than any other single cause, the value of clear and concise policies and procedures cannot be overstated. Many organizations overlook this critical step, either being too focused on the business at hand or believing that their people inherently know the right thing to do, and will act accordingly. These are almost always inaccurate assumptions that lead to disaster.
Employee Cybersecurity Awareness
As noted above, there is growing acknowledgement within the cybersecurity community that humans are the “Achilles heel” of most network security programs, and security safeguards are often undermined by human activity. The best way to mitigate this risk is through cybersecurity training that creates awareness and hardens personnel to attack.
Specifically, employees need to know the tactics and techniques used by attackers, why they could be targets themselves, and how to protect against data collection and attacks. Without this, employees are at risk of manipulation and exploitation through spear-phishing or social engineering efforts aimed at stealing network credentials.
Threats from Inside
One of the first things to understand about the insider threat is that it can be someone acting intentionally or unintentionally. While we normally think of an insider as someone who is intending to harm an organization, the overwhelming majority of insiders are those that unwittingly provide access to attackers.
That said, the greatest risk for the greatest damage from a breach comes from a true insider that is wittingly working to harm the organization. Their ability to access the most sensitive information, to do so over long periods of time, and to cover their tracks can result in devastating damage.
Again, cybersecurity awareness and a positive cybersecurity culture are the best ways to address the insider threat. Beyond that, psychosocial events like anomalous, suspicious or concerning behavior can be monitored and analyzed as well as online activity, downloaded or transferred files, and badge records. Identifying “red flag” warning signs and intervening early before a disgruntled or problematic employee becomes an insider is the goal. While broad monitoring is resource intensive, analysis can be streamlined by already knowing your most sensitive information and who has access to it.
Of course, central to the insider threat issue is the balance between security and employee privacy. While it is generally understood that there is no expectation of privacy when using an organization’s network and devices, employee monitoring is an area that many organizations shy away from. This is an area where senior leadership support is critical, and the input from the IT, HR, and General Counsel staffs invaluable.
Cyber Incident Response
The accepted mantra in today’s highly connected cyber world is “not if, but when” you will experience a cyber breach. The question then remains – how will you prepare?
The best way is to recognize the impact, own the risk, educate shareholders and partners of the risk, have a validated incident response plan, and execute that plan immediately.
Crisis management, business continuity, and disaster recovery planning all work together to reduce the damage of an attack. Testing these plans through structured walk-throughs and tabletop and live exercises gives you the best chance of limiting damage from a breach.
The Value of Positive Security Culture
To conclude, a strong organizational culture and morale helps create a positive security culture.
A common sense of pride, belonging, teamwork, collaboration and loyalty supported by a strong cybersecurity education program creates an incredibly powerful security measure. Accordingly, organizational culture both creates and reinforces a security culture.
The interrelationship and interdependence of organizational and security cultures, of people and devices, and devices and physical defenses underlines the need for a holistic approach to cybersecurity.