In our line of work, we see many institution’s environments, cultures, and positions on the journey of their information security programs. One of the most common pitfalls is the belief that a single person can check a magic box that makes everything compliant, from their silo that touches nothing else. This single act alone would then ward off any bad events from happening, kind of like voodoo magic. I would like to state that this strategy is not effective.
Why? Well, because information security is a team sport. Bear with me while I try to explain. We need information to take care of customers. We must use this information to provide value for those customers. Our customers want things to be fast efficient, correct, which requires multiple people and systems to touch that information. However, that same information about the customer and the systems that we produce value for the customer can also produce value for criminals. For a more in-depth conversation on the value of information and hacked computers for criminals, Krebs on Security has a couple of great articles: https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/ and https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/.
To get to the system, the criminals need access. What’s in the way? The users. The actions they take or don’t take make all the difference. Here are five more reasons Information Security is a team sport:
- There is a large and skilled opposing team- The opposing team is worldwide, criminal networks have been traced to Russia, China, Ukraine, North Korea, and even our own back yards. They use the same inexpensive and powerful resources as we do such as software as a service and cloud computing. Yes, there are still ‘script kiddies’ using lone computers in a basement somewhere, but there are also much more sophisticated threats out there.
- Culture eats strategy for breakfast- This quote of Peter Drucker speaks volumes for where the focus should be in achieving any goal. The Alternative Board explains this very well: “Culture isn't about comfy chairs and happy hours at the office. Rather, it's more about the ways your employees act in critical situations, how they manage pressure and respond to various challenges, and how they treat partners and customers, and each other.” When the decision comes up between protecting customer information and convenience, how management responds to that decision and the example set will overrule any pricey network tool any day of the week. In fact, I’ve seen management decide that those tools be configured for convenience, thus making them ineffective despite all the cost to acquire and set them up.
- We are as strong as our weakest link- Great example: according to Wikipedia, the first known phishing attack against a bank was reported in 2003. So, why are we still training people about it 18 years later? It works! By clicking on that link or attachment, they are using their power in that system to do things that let the criminals in, albeit unknowingly. Each year for about the past 15 years, I’ve read studies on causes of security breaches. Every year clicking on a phishing email continues to be the most common cause of data breaches. There’s not one Information Security Officer that can catch the bad click of a mouse in time to stop it.
- Clear communication is key- Changing behavior is difficult. Clear communication on what is asked and the consequences of those actions, especially when it is a change from the norms of the past, is key. This seems simple but isn’t in practice, ask any parent. Add to that complex as information technology. In these situations, communication and reinforcement of the rules are required to truly make the behavior change. Many times, these two seemingly simple techniques fall short and the behavior of users doesn’t change, therefore causing a security incident. Often, we see ISO’s giving clear communication but no follow through with consequences by management, which does not change behavior.
- Practice makes perfect- Given the change in user behavior required to protect information, identifying the tricks criminals present and understanding the consequences takes time and practice. The less practice, the more time it takes to develop skills. The less skill we have, the less we achieve. So, use the phishing emails, 5-minute training videos, penetration tests as often as possible. It’s time that can really pay off in the end.
If you need help developing an information security culture or training your users, we would love to help you. Contact support@bedelsecurity.com.
Additional Resources:
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
Independent Collaboration Part 1: A Concept for Outsourcing IT in Financial Institutions
https://www.bedelsecurity.com/blog/independent-collaboration-part-1-a-concept-for-outsourcing-it-in-financial-institutions
Independent Collaboration Part 2: A Framework for Outsourcing IT in Financial Institutions
https://www.bedelsecurity.com/blog/independent-collaboration-part-2-a-framework-for-outsourcing-it-in-financial-institutions
Culture Counts
https://www.bedelsecurity.com/blog/culture-counts