Arraya Insights | November 15, 2017
We’ve talked previously in this blog about how stock photos always depict cyber security threats the same way. The setting is typically a dark room occupied by a hoodie-wearing, faceless figure with some undoubtedly Matrix-inspired grids of code artistically placed somewhere in the frame. However, with the help of a recent survey, we’ve compiled an image that, while lacking in drama, more accurately depicts who security professionals seem worried about. Our picture is of a person wearing unassuming professional attire, in a well-lit room, maybe waiting quietly for a cup of coffee to brew. In short, it’s the average employee.
At our recent Open House and Technology Day, Arraya conducted a survey to gauge what attendees saw as their biggest security challenge. Rather than hand out print surveys, we decided to make this one more visually engaging. All attendees received a ping-pong ball at registration and were asked to drop it in a jar marked with the security issue they struggle with most.
Let’s take a look at the results:
- “Protecting my employees from themselves while maintaining productivity and innovation” – 46%
- “Gaining granular insight into my network to detect malicious behavior” – 21%
- “Securing sensitive data that has been moved to the cloud” – 18%
- “Keeping costs low while providing adequate security” – 14%
Building a security-first corporate culture
The “end users” response collected more votes than any other two options combined. If our Open House had gone on any longer, we would have needed a bigger jar. Despite the overwhelming response, end users mostly aren’t acting as malicious insiders and knowingly damaging their employers. They’re regular people trying to do their jobs, only, for them, security takes a backseat to efficiency. The question then becomes, what can IT do to build a corporate culture that accurately reflects security’s ever-increasing importance without, as the above response acknowledges, handcuffing employees’ productivity and innovative spirit? Here are eight ideas:
- Define the Goals of the Security Program – Blanket directives such as “We need to be more secure” do little to help crystalize the importance of security in the minds of end users or staff. Instead, the objectives behind an initiative must be made obvious to everyone impacted. Whether it’s safeguarding sensitive data or achieving compliance with a new regulation, everyone should have a clear understanding of the direction they should be pulling in and why.
- Establish “Top Down” Accountability – People are going to make mistakes. The key in security, just like everything else, is that they learn from those mistakes and grow into more security-aware employees. Should individuals fail to demonstrate that growth and make the same mistakes over and over, the only option is to part ways with them. This should be the case for all employees, regardless of position or standing, to enforce the notion that everyone is accountable.
- Know Where Data is and Who Can Access it – Modern organizations are not hurting for data. In many cases, they’re so inundated with it, it’s hard to keep track of what’s stored where and who is accessing it. Steps must be taken to bring data back under the control of IT, in terms of location and access permissions. Otherwise, sensitive data could be inadvertently left out for the wrong audience to see.
- Identify Risks and Threats – IT and end users alike must be aware of the threats facing the organization. They must be ready to contend with the hazards posed by ransomware, phishing, social engineering, and more, specific to their particular industry. As the threat landscape is regularly changing, much like everything else in IT, frequent updates and refreshers are a must.
- Develop Sensible Controls Based on Risk – Securing against every theoretical hazard is a noble goal, but ultimately, it’s also impractical. Resources are limited, as is end user patience for restrictive security controls. As such, businesses must develop controls that take into consideration everything from the likelihood of an attack to the impact it could cause. Doing so enables IT to lay out security protocols that are both effective and sensible.
- Outline Responsibilities and Train – The word “cyber” in cyber security has mislead many an end user to believe that the topic is only an IT concern. However, every single person within an organization, regardless of department or level, has a role to play in preventing data breaches and malware attacks. Time must be invested in training users on what to expect, how to avoid risks, and what to do if they encounter a suspected threat. This way, they’ll be ready to do their part to keep the organization safe.
- Monitor and Report Program Effectiveness – Once a cyber security program is in place, the work doesn’t stop. The initiatives and processes within that program must be closely monitored for what’s working and what isn’t. IT should collect device logs, end user feedback, and more to determine the status of efforts and then adjust as needed.
- Prepare for and Respond to Incidents – In the event something does go wrong, who does what? Prepare for the worst by putting together an Incident Response Team representing all parts of the organization. Should an attack happen, the members of the team must know exactly what is expected of them and get to work identifying, mediating, and solving the problem.
Next steps: Where to turn for security initiative support
Whatever your security challenge, Arraya’s Cyber Security Practice can help. Our team has the technical knowledge and the real world experience to assist organizations with planning, protecting, and prevailing against today’s toughest threats. Get the conversation started with our team today by visiting: https://www.arrayasolutions.com/contact-us/.
Do the results of our study match your own findings? Let us know! Check in with us on social media, on LinkedIn, Twitter, or Facebook, and leave us a comment on this or any of our blog posts. Be sure to follow us to keep up with our latest industry insights, special events, and company news.