Page 9 - Cyber Warnings
P. 9
emergency, effectively rendering security efforts null and void. This is tantamount to
plugging holes in the port side of a boat while water is pouring in through holes in the
starboard side. Employing security measures in one area but not others will still sink the
whole organization.
A winning philosophy is the foundation upon which a more secure progression can be executed
successfully.
Your secret weapon: people
Recent industry surveys typically cite insiders as the number one security threat. I don’t
particularly prefer the term “insider threat”, as it carries with it a generally negative connotation
of maliciousness. While a malicious employee most certainly would be considered an insider
threat, the far greater and more frequent concern under that term’s umbrella isn’t malicious at
all: inadvertent behavior, often caused by nothing more than a lack of knowledge. Phishing,
malware, and weak password management are the high-percentage causes of security
breaches. The truly malicious insider is the plane crash of security breaches – it happens
relatively rarely, but gets major media attention because of its severe impact. But regardless,
insiders aren’t wildcards. They are your employees, on your team. Rather than liabilities that
attackers exploit, turn them into guards on the wall:
• Train your employees regularly. Discerning employees able to identify phishing
attacks and avoid malware are like having intelligent, adaptable agents deployed on
every system at the organization. Train them! You aren’t going for a check-box
compliance here, i.e. do not teach theory. Words alone will likely have no lasting value.
Conduct live demos of phishing attacks and malware-in-action, showing both attacker
and victim sides of the dialog. Employees will better connect their behavior to
consequences.
Secure password management is low-hanging fruit. Everyone has heard the speech
about using strong passwords, but few have seen first-hand how easy passwords can be
to crack. A live password-cracking demonstration might be very illuminating and
motivating for employees. In my observation, knowledge isn’t the primary driver of strong
password use: convenience is. The ability to quickly recall a password typically dictates
a user’s desire to make it complex.
If a password has to be frequently remembered or repeatedly typed, it will tend to be
simple. But with a password manager, exceptionally strong passwords that don’t even
have to be known by their users can be created and used quickly and easily.
Recommend (better yet, provide) password management apps and train on their use,
and strong password use will likely increase.
• Focus on hiring trustworthy people. The unfortunate “insider threat” catch-all term
leads some to erroneously view all employees as likely malicious threats. Some security
departments respond with draconian resource lockdown, as if the insider threat could be
9 Cyber Warnings E-Magazine – July 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
