Why cybersecurity is everyone’s business

This month is the 14th National Cyber Security Awareness Month, the annual campaign organized by the Department for Homeland Security to raise awareness of the importance of cybersecurity for both businesses and consumers. This week’s theme is ‘Cybersecurity in the Workplace Is Everyone’s Business’, and it aims to highlight the fact that creating a culture of security is critical for all organizations, and must be a shared responsibility among all employees.

It’s a timely reminder that cybersecurity isn’t just about products and processes – it’s also about people.  There’s an old joke which warns that the riskiest part in a car is the one that holds the steering wheel, and it holds true in cybersecurity, too.  Employees’ actions can have a huge negative, or positive, impact on an organization’s security.

So here are some examples of how human error can cause security problems – and practical steps that organizations can take to make cybersecurity everyone’s business, and strengthen their overall security posture.

Ransomware:  it started with a phish …

A majority of cyberattacks start by specifically targeting end-users with phishing emails:  a recent report found that 91% of attacks started with a phish.  The consequences of an employee getting hooked by a phishing attack are serious:  the most likely outcome is triggering a ransomware infection (over 97% of phishing emails contained ransomware in Q3 2016), which can cause huge disruption:  shipping giant Maersk estimated that the NotPetya ransomware attack which took down its networks for several days cost it over $200 million in revenues.

We recently blogged about how organizations can limit their exposure to a ransomware attack, by containing it before it can cause widespread disruption.  This includes network segmentation to limit the lateral spread of malware, taking regular backups and storing them offline, securing all network devices, and linking SIEM systems and vulnerability scanners to business processes to help with early detection and remediation of attacks.

Also, user education and cybersecurity training is never in vain:  a 2016 ISACA study of more than 2,000 employees found that over half were not provided with cybersecurity awareness training by their employers.  Further, 36% of respondents said they could not confidently define a phishing attack, and 19% admitted that they had fallen victim to an attack.

As such, all levels of staff should receive training, from the C-suite down, and it should be followed up with practical testing – such as creating realistic-looking phishing emails to see if employees click on them. Practice doesn’t always make perfect, but it will improve peoples’ security awareness – and could help to stop a damaging cyberattack.

To err is human;  to automate is better

External attacks aren’t the only cause of breaches and outages.  They can also be caused by IT and security teams making simple, human errors when network devices or policies are configured or changed.  Such changes are part of the daily routine of network management, and a large enterprise’s IT team may well process hundreds of these change requests per week.  But unfortunately mistakes can and do happen, especially when there is manual processing involved.  All it takes is to miskey an IP address or the syntax in a firewall rule and you may have inadvertently created a gap in the network security perimeter which let the cyber attackers in as well as cause considerable business disruption and downtime.

To help prevent these security events, organizations need to use automation to handle these increasingly complex processes, and reduce the amount of error-prone manual input when handling changes to configurations and policies.  Put simply, fewer manual changes means fewer mistakes – and more application uptime and a better security posture. Additionally, an security management automation solution will be able to proactively assess the risk of all planned changes, thereby further minimizing the risk of mistakes.  This is particularly critical in enterprises with complex, hybrid environments of both on-premise and cloud applications.

As an aside, automation can also help to address the cybersecurity skills shortage by taking over the laborious, manual and error-prone maintenance tasks, and enabling IT and security staff to spend more time on strategic business initiatives.  We will examine this topic in in a few weeks’ time when we cover week 4’s theme ‘The Internet Wants YOU: Consider a Career in Cybersecurity’.

An inside job

Accidental errors by employees are bad enough, but organizations also need to be alert to the risks of malicious insiders: in new SANS Institute research, respondents rated the threat from disgruntled or malicious employees or contractors as the most damaging vector they face.  However, there are practical preventive measures organizations can take – including monitoring privilege rights to enterprise infrastructure as well as monitoring data exfiltration – to better protect themselves against the insider threat, which we detailed here.

A policy for passwords

Verizon’s 2017 Data Breach Investigations Report found that employees are still failing to set strong passwords for their accounts and devices:  80% of hacking-related breaches used either stolen passwords and/or weak or easily guessable passwords.

As we noted in this blog, organizations can take two key steps to reduce the risk of password-related security problem.  The first is to make it easy for employees to follow good password practices – such as using a different, strong password for every account, and using password management applications to help them do this, without having to remember every single password.  The second step is to ensure that no default passwords remain in use anywhere on your network – whether on firewalls, routers or individual users’ machines – as this is the equivalent of leaving a door unlocked for a hacker.

By putting these tips into practice, organizations can better protect themselves, and their employees, against the damage and disruption that cyberattacks inflict.  Business cybersecurity really is everyone’s business.