By Security Magazine on 5 January 2017
c-suite security metrics, cyber security education, cybersecurity awareness, cybersecurity leadership, security training, cybersecurity
Every day we are updated about the latest cybersecurity breaches – whether it’s Yahoo, Dropbox or LinkedIn, how many records have been stolen, or how much companies have paid in result from ransomware or financial fraud.
However, are employees and executives aligned with cybersecurity awareness? Are the risks and top discussions that happen in the break room similar to those that happen in the boardroom? The topics and concerns are farther apart than you could ever imagine.
The Break Room
As employees sit in the break room and discuss the latest cyber breaches in the news and how many records have been stolen, it’s not typically a major concern as they are not aware of the direct impact to their data or personal information. To them, it is just another cyber breach.
As thousands of records are stolen daily, the lack of direct impact means that many employees are not clear on the risk or the value of the data being stolen. Many companies have failed to educate employees on cybersecurity. While it is common to see companies creating complex IT policies, ensuring their employees understand their role and responsibility when it comes to security within the company is a good place to start.
Share with your employees that even a bad link clicked on a smartphone can lead to a cyberattack throughout the organization.
Companies fail to treat external breaches as cyber incidents and therefore reduces the severity or impact. Employees bring their own devices, connect them to the company’s network, store corporate data on them and very few companies check those devices for security compliance or that security protocols are enabled.
Employees believe it is the government’s, technology companies’ and their company’s responsibility to protect them from cyberattacks. The cybersecurity topic at the break room is more likely to be about the cyberattacks that influence the presidential election, the possibility of cyber terrorism against the government and critical infrastructure, and “did you recently change your password?”
In all seriousness, you should probably update your passwords.
Now just down the corridor, the executives are having their monthly meeting in the executive boardroom and after numerous topics, cybersecurity eventually gets brought up. The main concern for the CEO is to know the business is running smoothly. While sales and operations are top of mind, the security of the company needs the same awareness and care. While juggling many business functions, CEOs don’t have the time to worry about small intricacies.
Make cybersecurity a priority topic during meetings and define the business impact of a security breach.
New security breaches like ransomware make security a more pressing concern for enterprises now more than ever before. Most of the boardroom looks to the CISO for what the current state of the company’s cybersecurity is. However, many view it as a risk and therefore lack of business impact. The biggest topic that comes to the table is typically is whether the company is meeting government and industry regulatory compliance and will they pass the upcoming audit.
Establish a culture of cybersecurity responsibility throughout the C-Suite, not just the CISO.
The challenge in the past is that it is difficult to measure cybersecurity risk for many organizations and this has put the CISO in a tough situation as how to show business value. It was about keeping the existing security controls working, making continuous improvements where possible, and placing security on previously adopted technologies. Security has always been an afterthought and sometimes not possible to keep the same high level when security and privacy were not implemented by design. This means the risk always continues to get greater, making the CISO’s already tough job more challenging.
Since cybersecurity is a growing topic in the boardroom and the breakroom, the education in the boardroom needs to continue on the business impact of cybersecurity, clear metrics, cyber insurance and a clear recovery plan. Educating employees of the importance of security with BYOD and their own workstations will greatly mitigate the risk of a cyberattack.
Rep. Peter Welch (D-Vt.) said the attack shows how rampant Russian hacking is. “It’s systemic, relentless, predatory,” Welch said. “They will hack everywhere, even Vermont, in pursuit of opportunities to disrupt our country. We must remain vigilant, which is why I support President Obama’s sanctions against Russia and its attacks on our country and what it stands for.”
Brian M. Harrell, CPP, Director of Navigant and former Director of Critical Infrastructure Protection Programs at NERC, told Security magazine: It’s a bit premature to say that the Russians planted this malware on a utility workers transient device, but the code detected is similar to the malware used in the advanced persistent threat campaign by Russian cyber operatives. It will take some time to trace the malware to its origin. The hacking of critical infrastructure is a concern for utilities across the country, but we should be careful to keep this in perspective. The infected computer is reportedly not connected to key control or energy management systems affecting utility power operations. The utility identified the malware, recognized the indicators of compromise, and notified law enforcement and grid regulators, all while isolating the one laptop with malware on it. This is evidence of how timely and accurate threat information, in the hands of utility operators, can mitigate threats to the power system.
Hacking into corporate computers of a utility does not necessarily compromise the integrity or reliability of the electric grid. Attackers would need to successfully gain access to industrial control systems, which they did not. While this event causes alarm, due to recent events surrounding Russian cyber intrusions, it should be noted that phishing attempts, denial of service attacks, and ransomware attacks happen every day within critical infrastructure sectors. The electricity sector has mandatory and enforceable security standards, and a uniquely strong tie with the E-ISAC ran by NERC, which may have aided Burlington Electric in identifying the malware. We still do not fully understand the capability and intent behind the malware found at Burlington Electric, however, US CERT and federal resources should be used to investigate and better determine how this malware was introduced. Federal officials should work closely with NERC and the E-ISAC to then provide lessons learned.”
Carson, Joseph (2017). Cybersecurity Tips for the Break Room and Boardroom. Security Magazine. Recovered on 30 January 2017, from http://www.securitymagazine.com/articles/87700-cybersecurity-tips-for-the-break-room-and-boardroom