Sunday, June 30, 2024

How To Create Cyber Social Norms: 7 Golden Tips

 


One of the mantras today in Cybersecurity is to create a Security Policy, or even Policies, and make sure that it is enforced.  While this has been true for who knows how long, the catalyst for this was during the COVID19 pandemic. 

For instance, right when it hit, CISOs and their IT Security teams were left scrambling trying to deploy company devices to what has now become the near 99% remote workforce.  Of course, the gravity of the pandemic caught everybody off guard, but another reason companies were so slow in this was that they did not have a good Security Policy in place.

Even if they did, it was probably barely rehearsed on a regular basis.  But now that the pandemic has more or less dissipated, CISOs have hopefully learned their lessons.  Not only is it good to have a Security Policy when it comes time to respond to a disaster, but also it is greatly needed to support a good level of Cyber Hygiene amongst the other employees of the business.

But depending upon how large your organization is, it can be truthfully hard to enforce a Security Policy with each and every employee.  Therefore, it is very important for the CISO, as well as other members of the top brass, to make sure that a proper cadence of “Social Norms” are followed.  You may be asking what this is? Well, here is an informal definition of it:

“Social norms typically are informal, unwritten rules that guide acceptable behavior among members of a group or society.“

(SOURCE:  https://www.darkreading.com/cybersecurity-operations/achieve-next-level-security-awareness-by-creating-secure-social-norms)

In other words, you are taking certain parts of the Security Policy that will help to maintain that level of Cyber Hygiene that you want, but actually acting them out in your daily interactions with others.  So, the idea here is as you practice these “Social Norms”, others will watch it, and from there, take your cue.  This is another subtle way of practicing good Cyber habits.  That’s why it is so important for managers in a business to do this on a proactive basis, because in our society, everything is learned in a top-down fashion.

So to get you started, here are some tips:

1)     Have training:

Yes, this is a topic that has been beaten over many times, but it’s the truth.  You first have to have regular training sessions with your employees in order to instruct them about the value and the importance of the datasets that your company possesses.  It is the lifeblood of it, and if anything is compromised in this regard, your business will be on its knees.  But two key points here are:

Ø  Keep your training engaging and interesting.

Ø  Make sure that it is appropriate for the target audience.  Don’t take a “one size fits all” approach.

 

2)     Know where the data resides at:

Believe it or not, many CISOs to this say don’t even know what is contained in their databases.  So if you want to establish a sense of a “Social Norm” here, know where every piece of data is, and convey that knowledge accordingly (obviously, this is something that an administrative assistant does not need to know about).

3)     Make use of MFA:

As I have written before about this, this is an acronym that stands for “Multifactor Authentication”.  The predecessor to this was the 2FA, which stands for “Two Factor Authentication”.  But since the Cyberattacker has more or less circumvented the latter, the time for MFA has now come. This is where two deploy at least three or more different authentication mechanisms in order to confirm the identity of your employee.

4)     Understand Social Engineering:

Although this is almost as old as Phishing, it is being used quite a bit today.  This is where the Cyberattacker tries to build up a friendly, but cunning rapport with an employee of a company in order to squeeze out details from them about the company’s datasets.  In this regard, also have training programs on this, and even conduct role plays with employees so that they will truly understand the gravity of a Social Engineering Attack.

5)     Implement a Privacy Policy:

While these are mostly prevalent on websites (primarily due to the data privacy laws that mandate them, especially with regards to the use of “Cookies”), it is important to take this and create a Privacy Policy that is internal to your company.  For example, not only does the business have the right to keep their datasets private, but employees and even customers have this right as well. 

6)     Get an Identity Service:

The three main credit reporting bureaus are Equifax, Experian, and Transunion.  Through whichever agency you wish to fo go through, take advantage of their free credit reporting services.  Offer this to all of your employees and even customers.  In case you are ever hit with a security breach, they will be able to contact them immediately to have their accounts frozen in a quick manner.

7)     Use a Password Manager:

Yes, as much as we have tried to get rid of passwords, they are still around, and will continue to be for a long time to come.  They still continue to be one of the biggest nightmares in Cybersecurity today.  Therefore, make use of a Password Manager to further enhance the protection of your datasets.  Thee are simple, but powerful software applications that create ling and complex passwords that are difficult to crack.  Best of all your employees don’t even have to remember them, the Password Manager takes care of all of that.  But if you are going to use it, make sure that you as a CISO, start using it first.

My Thoughts On This:

Creating “Social Norms”, following the tips  just reviewed, should not be an insurmountable task.  But as I have said before, this all has to start from the C-Suite.  If the members here follow it, then other employees, in a cascading fashion, will also follow suit until it becomes a second nature to them.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...