Thank you for Subscribing to CIO Applications Europe Weekly Brief
The weakest link?
By Bjorn R. Watne, Chief Information Security Officer, Storebrand Group
Fortunately, the attackers are not the only ones to evolve. While spending half a meeting explaining to the customer what an Intrusion Detection System was 20 years ago, it is something close to default with most companies in both private and public sector today. Technology alone is however not enough to combat the ever-changing landscape of threats we face today. We need to address how we go about our work, as well as the minds of the people actually doing it. The trinity that is People-Processes-Technology all need to be equally addressed in order to ensure a secure operation. They are all important, but, if one were to be placed above the others, I would say it would have to be people. Every time.
The right tools – the technology – will always be of great importance. Statista reports that at the end of 2018, global spam volume as percentage of total e-mail traffic is still as high as 53.5 percent. No question at all whether or not we still need our antivirus solutions in place! Same company is also reporting that the global market size of outsourced services has doubled from 2000-2018 to close to USD 90bn. Obviously, there are no questions either as to whether it is important we have proper risk management, policies and procedures in place to plan, do, check and act when dealing with our different third parties.
Nevertheless, even though we excel at all of this – that one piece of malicious malware opened on a vulnerable system; or that one password given away on a fraudulent phone call might still shatter all defenses. Hence, it is imperative we also focus on getting into the hearts and minds of our employees if we really want to secure our operation.
Technology alone is however not enough to combat the ever-changing landscape of threats we face today
1. Keep it relevant.
When trying to raise awareness it is important you address your target audience with a certain amount of granularity. The language and format used to address non-technical personnel working with HR and Marketing should not be the same as that for IT-operations and Software Development. Get an understanding of their individual tasks and their workday.
2. Keep it interesting.
What is usually more important to employees than their employer's well-being is that of themselves, or their relatives. The topics presented should focus on what is their greatest concern – for example how to keep children safe on the internet, or how to protect your digital identity, or safely go about online banking and shopping. Good habits at home often become good habits at work, which is the win-win you're after.
3. Make it fun.
Across the globe, people have always loved playing – and competing. The Greek tradition of the Olympics is one example; the board game Senet played in ancient Egypt as far back as in 3500 BC is another. Create quizzes, design hackathons and capture-the-flag competitions, display leaderboards and celebrate your champions. Opportunities of gamification are almost close to endless, and most of them work very, very well.
4. Make it easy.
One should never have security for security's sake. Your controls should always have the goal of supporting the business. If you are not helping the business align to its strategic goals, you should stop what you are doing and do something different. The controls put in place must also enable your employees to do their job as effortlessly as possible (within the company's risk appetite). Finally, reporting suspicious activities or possible incidents should be very easy, frequently communicated, and always acknowledged – possibly even rewarded.
By making information security relevant and interesting to your employees in their daily lives – making reporting suspicious activities convenient and rewarding – and by showing them that said activity is always taken seriously and acted upon by security professionals – you've maybe just turned your weakest link into your biggest asset. Any one of us can have a bad day or a momentary lack of concentration – but given heightened awareness and ease of reporting, this risk can be reduced significantly. Couple it with the right defense technology and well anchored and rehearsed incident processes, and you have a winner.
As I like to think of it – in a company with 1000 employees, you can look at it as either you have 1000 security flaws, or you have 1000 security guards. I know which one I prefer.
The Balancing Act: Network Security and Connectivity
Whitney Kellett, CIO, Aqua America [NYSE:WTR]
Security is Only As Good As Your Weakest Link
Sam Schoelen, CIO, Continental Resources
Taking Holistic Control of Your Enterprise's Security
Jaya Baloo, CISO, KPN
The Digital Transformation of Service
Courtney Dornell, Senior Director, Service Transformation, Otis Americas