On Friday, in
the early morning hours, the world woke up to what will quite possibly be the
world’s largest Cybersecurity breach ever.
Many Cyber pundits are merely calling it a “large scale outage”, in my
humble view, I think it was a security breach.
Why do I say this? It is too eerily
close to the Solar Winds attack. Just
one vulnerability was exploited, and from there, it had a cascading effect to
over 1,000 victims, ranging from the smallest of the SMBs to the Fortune 500 to
even the Federal Government.
So of course,
a lot of finger pointing has been going around, and unfortunately, it was
Microsoft that took the brunt of the blame for it. However, this is far from the truth. Microsoft is a client of CrowdStrike, and is
heavily dependent upon their services to actually work right for the gargantuan
Azure Cloud Platform. But in the end,
somebody will have to take the fall for it, and only a thorough investigation
will reveal that.
What happened
Friday is also directly related to another hot button topic in Cybersecurity
today: The notion that employees are the
weakest link in the security chain. I
will share my views about this at the end of the blog. But it is true, ever since the COVID-19
pandemic, the need for security awareness training has never been greater.
Many people
have written blogs, articles, whitepapers, and even books as to what makes a
great security awareness training program.
But it all comes down to three things:
*The training
has to be made interesting so that the audience will remember what they have
learned.
*It has to be
specific to the department, job title, or what roles the employee does on a
daily basis.
*There has to
be follow-up to make sure that employees are applying what they have been
taught.
For this
blog, I will focus on the last one. I
know of companies that after having given a training program on Phishing, will
actually launch a mock Phishing exercise to see how many employees have fallen
prey to it. For those that do, very
often, a warning or a slap on the wrist is usually given, and then it is
forgotten about. But there is where often
the failure starts. For these employees, a further, personalized approach needs
to be taken.
Here are
three tips to get started with this:
1)
See
what the employee is doing wrong:
Don’t
simply bring him or her into your office, it will be much more intimidating for
them. Rather, take a very friendly,
casual approach, such as taking a coffee break, or even take the employee out
to lunch. Tell them what you have been
noticing in their Cyber Hygiene, and try to figure out why they are doing what
they do. For example, why are they using
the same password over and over again?
Why are they not double checking the emails they get in their
inbox? Or, why are they consistently
using apps for their work when they have not been authorized to do so? And so forth.
This should give you a much greater insight into their ways of doing
things.
2)
Create
a “Credit Score”:
Once
you have figured out what the employee is doing wrong, or why they are not following
the security policies that you have set forth, try to create something like a “Credit
Score” for them. However, do not share
this with them, it will make your employees feel as if Big Brother is watching
them. Just use this numerical value as a
metric, or even as a Key Performance Indicator (KPI) to see just how well they
are improving over time (which is hopefully the case).
3)
Give
one on one help:
I
remember when I was back in high school, I was struggling through Algebra II,
and after my parents gave up on helping me, they resorted to finding me a tutor,
who could give me that one on one time.
This tutor helped me in the specific areas that I was weak in, and over
time, my grades improved. This is the same
approach that you have to take as well with your employee who is exhibiting a
low level of Cyber Hygiene. But, in my
view, hire a person that is specially trained in this. Don’t just farm out somebody from your IT
Security team, as they have more than
enough to deal with on a daily basis.
Try to find a contractor that specializes in offering Cyber education,
as they will be the most accustomed to offering tutoring sessions.
4)
Reward
the employee:
As
the tutoring goes on, and if you see an improvement
in their respective “Credit Score”, reward your employee. This can take place with just a simple pat on
the back, sending out positive messages with the right emojis, giving them a
gift card, or even taking them out to lunch again. The bottom
line is that once the employee feels appreciated for the efforts and
remediations that they are undertaking,
they will continue with this trend for a long time to come, until you don’t
have to coach them anymore.
My Thoughts
On This:
You might be
thinking at this point: “I don’t have the
time and resources to do this for each and every employee”. Of course, you don’t. These strategies are designed to help those
employees that display the lowest, or weakest behavior when it comes to their
Cyber Hygiene. There will be some that
will get it right the first time after the training, and those that will lie
somewhere in the middle. But the idea is
that once other employees see others maintaining strong levels of Cyber Hygiene,
they will feel compelled to do the same.
In the end, it
comes down to what is known as “Behavioral Analysis”. In others words, trying to figure out why
people act and do things the way they do.
This is becoming a hot sector now in Cybersecurity, and rightfully so,
with all that is going on, especially now with Generative AI being so dominant.
So now, to
back to that one thing: I do not think
at all that employees are the weakest link to the security chain. Rather, I find that the CISO and the other
members of the C-Suite to be the weakest link.
They do not practice what they preach, and if they did, we would see a
much different picture in terms of employee Cyber Hygiene today.
In the end,
it takes both people and technology to have a great line of Cyber defense for your
business.
No comments:
Post a Comment