One of the
mantras today in Cybersecurity is to create a Security Policy, or even
Policies, and make sure that it is enforced.
While this has been true for who knows how long, the catalyst for this
was during the COVID19 pandemic.
For instance,
right when it hit, CISOs and their IT Security teams were left scrambling
trying to deploy company devices to what has now become the near 99% remote
workforce. Of course, the gravity of the
pandemic caught everybody off guard, but another reason companies were so slow in
this was that they did not have a good Security Policy in place.
Even if they
did, it was probably barely rehearsed on a regular basis. But now that the pandemic has more or less dissipated,
CISOs have hopefully learned their lessons.
Not only is it good to have a Security Policy when it comes time to
respond to a disaster, but also it is greatly needed to support a good level of
Cyber Hygiene amongst the other employees of the business.
But depending
upon how large your organization is, it can be truthfully hard to enforce a
Security Policy with each and every employee.
Therefore, it is very important for the CISO, as well as other members
of the top brass, to make sure that a proper cadence of “Social Norms” are
followed. You may be asking what this
is? Well, here is an informal definition of it:
“Social norms
typically are informal, unwritten rules that guide acceptable behavior among
members of a group or society.“
In other
words, you are taking certain parts of the Security Policy that will help to
maintain that level of Cyber Hygiene that you want, but actually acting them
out in your daily interactions with others.
So, the idea here is as you practice these “Social Norms”, others will watch
it, and from there, take your cue. This
is another subtle way of practicing good Cyber habits. That’s why it is so important for managers in
a business to do this on a proactive basis, because in our society, everything is
learned in a top-down fashion.
So to get you
started, here are some tips:
1)
Have
training:
Yes,
this is a topic that has been beaten over many times, but it’s the truth. You first have to have regular training sessions
with your employees in order to instruct them about the value and the importance
of the datasets that your company possesses.
It is the lifeblood of it, and if anything is compromised in this
regard, your business will be on its knees.
But two key points here are:
Ø
Keep
your training engaging and interesting.
Ø
Make
sure that it is appropriate for the target audience. Don’t take a “one size fits all” approach.
2)
Know
where the data resides at:
Believe
it or not, many CISOs to this say don’t even know what is contained in their
databases. So if you want to establish a
sense of a “Social Norm” here, know where every piece of data is, and convey
that knowledge accordingly (obviously, this is something that an administrative
assistant does not need to know about).
3)
Make
use of MFA:
As
I have written before about this, this is an acronym that stands for “Multifactor
Authentication”. The predecessor to this
was the 2FA, which stands for “Two Factor Authentication”. But since the Cyberattacker has more or less circumvented
the latter, the time for MFA has now come. This is where two deploy at least
three or more different authentication mechanisms in order to confirm the identity
of your employee.
4)
Understand
Social Engineering:
Although
this is almost as old as Phishing, it is being used quite a bit today. This is where the Cyberattacker tries to
build up a friendly, but cunning rapport with an employee of a company in order
to squeeze out details from them about the company’s datasets. In this regard, also have training programs
on this, and even conduct role plays with employees so that they will truly
understand the gravity of a Social Engineering Attack.
5)
Implement
a Privacy Policy:
While
these are mostly prevalent on websites (primarily due to the data privacy laws
that mandate them, especially with regards to the use of “Cookies”), it is important
to take this and create a Privacy Policy that is internal to your company. For example, not only does the business have
the right to keep their datasets private, but employees and even customers have
this right as well.
6)
Get
an Identity Service:
The
three main credit reporting bureaus are Equifax, Experian, and
Transunion. Through whichever agency you wish to fo go through, take
advantage of their free credit reporting services. Offer this to all of your employees and even
customers. In case you are ever hit with
a security breach, they will be able to contact them immediately to have their
accounts frozen in a quick manner.
7)
Use
a Password Manager:
Yes,
as much as we have tried to get rid of passwords, they are still around, and
will continue to be for a long time to come.
They still continue to be one of the biggest nightmares in Cybersecurity
today. Therefore, make use of a Password
Manager to further enhance the protection of your datasets. Thee are simple, but powerful software
applications that create ling and complex passwords that are difficult to
crack. Best of all your employees don’t
even have to remember them, the Password Manager takes care of all of
that. But if you are going to use it, make
sure that you as a CISO, start using it first.
My
Thoughts On This:
Creating “Social
Norms”, following the tips just
reviewed, should not be an insurmountable task.
But as I have said before, this all has to start from the C-Suite. If the members here follow it, then other
employees, in a cascading fashion, will also follow suit until it becomes a second
nature to them.