Cybersecurity: Create culture of security and trust among people

Watch out for cyber threats in 2015-2016. Many research companies have posted lot of information on cyber threats, cyber attacks, and cybercrimes. Top cyber threats that have been dominating the news for past couple of years are identity theft, retail data hacks, healthcare data hacks, phishing and social engineering attacks, mobile and smartphone security threats, and financial institution attacks.

The US and UK research shows that the behavior of employees present one of the biggest risks to the organizations. BYOD solution, growth of social media, remote working and mind-set of younger generation employees that don’t value traditional control, all together create new threats in an organization’s cyber defense.

Recently US House identified that inside is the number one threats. Insider means, all employees, short-term, long term contractor, vendors who have access to some of the resources. Number of government and private case studies have shown that insider who knowingly participate in cyberattacks have a motivations: revenge, desire for power and recognition, financial gain, loyalty to others on organization, and political beliefs. Organized crime and activist groups’ collaboration with insider has become common.

Attack on South Carolina Department of Revenue, where almost 4 million unencrypted bank accounts and tax returns were stolen by Russian gang. Forensics established link with an employee who facilitated the attack by opening a link in an email, enabling the hackers to steal the employee’s credential and access the state’s data.

We understand that technical defenses are very important to protect organization’s perimeter. But these defenses will limited effect if they are undermined by employees who do not follows the security policies just because these are inconvenient or they don’t understand why these policies are necessary.

“People”, hence become the essential component of strong and effective cyber defense. Cyber security strategies must focus on human aspects, developing a positive security culture based on trust and not surveillance.

• Cyber security is a shared responsibility of each and every employee of the organization. Organization should stress the responsibility of individual as well as whole team for protecting the critical data and make no exception for leader. Employee must act as a role model by adopting the positive way of working, such that, in response to a security breach, acknowledge what had happened openly and treat it as an opportunity to learn rather than firing or imposing the fear on employee’s mind set.
• Encourage employees to view security as something that enables the organization to deliver its promise to customers and achieve its vision
• Social media and home based work are normal behavior. Make it easy for employee to do the right thing. Investing resources and effort in employees and culture, can significantly improve the security and reduce the potential of successful cyberattack.

Organizations can reduce their exposure to employee risk by adopting the ‘human aspects of organization’, building a security culture that focus on building and maintaining trust. There are ways to build the trust within the organization

• Create an open, ethical and proportionate approach to cyber security
  Employees first must accept that there is a credible threat and have clear understanding of why these measures are essential. It also mean that enabling proportionate checks and balances in place, focus where it focus most and prepare to challenge controls that are unnecessary and/or redundant.
• Tag the culture with shared values and beliefs
  The culture, build on values, focused around the integrity, security and trust develops commitment ad challenges a ‘culture of blame’. People need social reinforcement from the norms of behaviors around them rather than just putting a poster in hallway or lobby.
• Power of the majority
  People look to follow the social norms, they want to like and trust each other. These traits can be used as strong key to help reinforce the right behavior. Organization to achieve the deeper understanding of failures, how they were detected and implications, acts as a strong deterrent. It may not be necessary that increasing the controls is the right thing to do but getting behaviors right is also effective.

Top data security breaches in 2015-2016

 

• Anthem: In February 2015, health care provider, Anthem acknowledged that it was hacked by then unknown attackers, who accessed 80 million records from the people
• Ashley Madison: A group called Impact Team stole the site’s user database in July, hackers released everything which included the personal information such as email and physical addresses for 37 million users
• An unknown group infiltrated hundreds of banks in multiple countries, stolen somewhere in $1 billion
• Nearly 15 million T-Mobile customers had their information stolen after credit-checking company Experian was hacked
• US government agency Office of Personal Management, was breached and exposing information of about 22 million records
• There are many more to be noted like Target (70 million), Home Depot (56 million), MySpace (16 million), LinedIn (117 million)