Dear CISO, It's Time To Widen The Cyber Security Net
4 August 2017 12:54
It's clear that CISOs have a lot on their plate. Being occupied with security governance and compliance requirements, all while establishing and maintaining their company's vision to combat cyber threats is a hefty chunk of work for anyone.
But a CISO cannot afford to isolate their focus to just these areas, if they do, then all that's achieved is a false sense of security. Serious focus needs to be filtered down to employees - and fast.
Overlooking the basic fundamentals of how employees behave and interact with the organisation's data and technology is a huge risk, especially with excessive sharing and easy access to information. Think of it this way, the more access to sensitive data that an employee has, the easier it is for cyber criminals to obtain a company's critical assets when being targeted for their credentials.
The net needs to be widened by CISOs over who they're protecting, and their security plans should be tailored to the way the business operates.
Of course, this is no quick-fix for security, but placing focus on employees can have a significant impact on a CISO's success. After all, there's a reason why we hear so much about the human element of security nowadays, and it's simply because of the growing number of employees being successfully targeted (here are some of the most common techniques they're still falling for).
Employees have the keys to the kingdom - make sure they're protected
A cyber criminal's primary target is often the decision-makers who possess access and authority. For CISOs it is vital to know and understand how their executives operate at an individual level in order to protect them. These types of targets are likely to use several devices, such as smartphones, laptops and tablets. They tend to travel often and communicate over a VPN or connected to public WiFi.
They may even be doing business in countries where they are at risk of falling victim to economic or political espionage., such as Russia and China. This is where it can be a good idea to conduct security assessments on executives in order to test their sensitivity to social engineering emails, and assess their security while on the go (educating and phishing your own employees is a great way of doing this).
Don't forget the backbone of the kingdom, they're all a target too
Cyber criminals are launching increasingly legitimate-looking spear phishing campaigns and social engineering techniques, and widening the number of employees they view as "high value." A CISO can often place their focus mainly on the high-profile c-suite, board members, and those with domain access - but this can be a mistake. Although these individuals are incredibly important to protect, there are many other employees in the organisation that criminals are going to target as well.
The head of communications, for example, who might have access to sensitive earnings data before it's made public, or the CEO's executive assistant who possesses vital passwords, or even the employee in HR with the keys to employee personal details.
Cyber criminals can target anyone. Sending out the bait and seeing what comes back has been a successful tactic for quite some years, alongside other more specific attacks. The need to create a security-minded culture for all employees can be overlooked by a CISO. Of course, compliance and firewalls are needed if we are to aim for maximum security, but the need for the human firewall needs to be recognised by all.