It was once said that cybersecurity in the workplace wouldn’t exist without IT. Well, that statement is now showing its age and has since evolved into something more inclusive. In reality, there is no cybersecurity without IT, business AND employees working together with shared objectives and a strong culture.
Simply put, every organization should approach cybersecurity by integrating the IT department, business units and employees. We’ve said it before and well say it again, within the modern IT organization everyone needs to be a cybersecurity professional, from technology consultants to administrative staff.
So, although there is an “I” in “IT,” there is still no “I” in “team.” And cybersecurity is undoubtedly a team sport.
Most important, as teams learn to accept the shared responsibility of creating and maintaining a “secure environment” for business operations and communication activities, they can better prepare to tackle the challenges of increased attacks on systems and people. In our journey to explore the many opportunities and challenges consultants face while navigating cybersecurity in the workplace, let’s take a look at what we have learned so far and expect to learn in the near future:
Business Email Compromise and Social Engineering
When we asked a group of CIOs in the Southern California region what their biggest concern was for the immediate future their answer was clear: cybersecurity and social engineering; the culmination of people, process and technology.
That is, business email compromise (BEC) is widely recognized as one of the most effective methods for attackers to access networks, databases, files or worse, identities. Specific to BEC, the human component (employees) is most vulnerable. Thus, CIOs must develop a plan for getting everyone on board within the organization.
Well aware of this, malicious parties continue to hone their skills, working harder to deceive employees who aren’t staying one step ahead of the threat. Of course, as the title of this article entails, preparing to successfully negate a cyber threat (in the form of BEC) isn’t the sole responsibility of the consultant or employee — or IT for that matter — it’s one that all personnel — management and workers alike — must engage with, ready to learn and adapt. After all, in the digital era we are all on the front lines. Since every consultant and employee will be faced with a cyber threat at some point in their career, here are the common forms of social engineering that must be identified: (these following topics are covered in-depth.)
Social Media Engineering
Being able to identify and minimize the threat of social engineering begins with awareness; and awareness is dependent on a company culture that rewards testing, education and growth. Of course, this is highly dependent on a workforce of employees and consultants who are open to security-skills development and motivated by the new and continuous challenge this critical role presents within the organization — the modern mindset of IT professionals, as we call it.
On the other side of the equation, modern IT organizations are looking to leaders with an aptitude for developing their workforce using continuous learning programs (webinars, meetings, clinics, team events, content strategies) as well as transparent feedback loops (penetration testing). With a focus on transparency, this cross-enterprise collaboration drives the success of security objectives and prepares all internal teams to respond strategically to a threat, firmly planting the CIO in the captain’s chair.
Analyzing informal feedback provided by a current CIO of a Fortune 500 company in the Orange County, CA region, and taking a page from the FBI’s playbook, here are important factors to consider when creating a “before the storm” checklist:
Identify your most valuable assets — data and systems — and answer the questions: where are these assets? How are they acquired? Stored? Who has access? How do they gain access?
Make the the response plan second nature for IT. Rehearse. Rehearse. Rehearse!
Strategize and facilitate a monitoring program using education, testing, and feedback — empower vs. intimidate.
Measure progress across teams and end-users, making adjustments to align with the internal culture.
Make insights available from testing results to management for more effective talent development and team building.
Curated from the FBI’s latest cyber crime report, 2017 was a milestone year for the FBI’s Internet Crime Complaint Center (IC3). On October 12, 2017, at 4:10pm, the IC3 received its 4-millionth consumer internet crime complaint. An alarming yet not surprising statistic, the FBI’s dedicated cybersecurity team developed a response plan inclusive to organizations of all sizes. Even more appealing to technology workers, this top-level plan provides an order of operations that’s applicable to most situations involving social engineering, from phishing to scareware. According to FBI feedback, when a cyber threat is identified or worse, an attack is carried out teams should do the following:
Assess: ID computer, port, sender, destination, etc.
Isolate: compromised devices, network
Collect: Content, images, logos, keywords, verbiage, etc.
Notify: Internal management, Law enforcement, end-users
The Talent Perspective on Cybersecurity
For IT professionals, the path forward is clear: social engineering remains a credible threat and must be addressed daily. An important detail for talent managers to consider: a person’s aptitude for understanding the importance of cybersecurity as it pertains to their role and the greater organization is an invaluable asset to the team.
In the IT industry, where an already significant talent shortage is being exacerbated by the need for security professionals, successful compliance from cross-enterprise teams is directly influencing growth opportunities for individual talent. In other words, learning from a strong, well-equipped team of infosec specialists (and becoming one yourself) can open doors and present paths for growth that may otherwise be overlooked. And with an estimated 350,000 cybersecurity positions open in the U.S. this year — in addition to the 780,000 already filled (statistics provided by National Initiative for Cybersecurity Education (NICE)) — it’s clear that every IT consultant has an opportunity for growth with regard to cybersecurity. So, to begin identifying these opportunities here are a few actions to consider:
Partner with your client’s infosec team
Complete certifications to compliment your current IT skill set i.e., GIAC, Security+, GSEC, CEH, CISM, CompTIA Security+ or CISSP.
Set aside 30-minutes per day, learning how your current specialization can benefit from understanding cybersecurity best practices; applying these to your projects, often reading through articles and news.
Practice early adoption of platforms and tools within your scope of work, seeking out new technology and understanding how it can add value to your work.
Update your resume and portfolio every six months, adding certifications and descriptions of projects that show your new skill set and active learning.
Becoming well-versed in cybersecurity practices provides immense opportunity for IT consultants who wish to choose the projects they work on and the companies they work with. Mainly due to the fact that it’s accepted as a critical business risk, a greater number of technologies are being made accessible to companies for monitoring and risk mitigation. As a result, technology teams must adapt; and talent development or establishing a successful talent pipeline is a priority for these companies.
One such example shared by Caroline Baldwin of Infosecurity Magazine, Telstra (Australia’s largest communication provider) opened two new security centers to support a network of 500 security experts. Shortly after launch, plans for centers in Asia and Europe were already underway due to the centers’ success, bolstering support from partners and customers for their rapid innovation to be the most secure company in the market. Of course, this ultimately drives the need for skilled talent — and plenty of it! This model is now being adopted by other global companies.
In fact, as CyberSeek found, the greatest abundance of opportunity is in the “operate and maintain” category of security jobs. This relates to roles in support and administration of IT systems, positions that closely correlate to many other responsibilities IT professionals own.
In an eye-opening statement which adds perspective to the immediate need for new talent channels, Matthew Sigelman, CEO at Burning Glass Technologies stated,
In every state, the employed cybersecurity workforce would have to grow by over 50 percent to align with the market average supply and demand ratio.
Whether you view the glass as half empty — or half full — there’s work to be done for technology professionals across the enterprise; any chance of protecting not only companies from the growing threat of cyber attacks but people and as well requires immediate attention to talent.
The more we talk about the threat to people the more attention society as whole will give to the subject. The reality is that business leaders, IT, and employees need to work together, sharing the responsibility of developing and strengthening people, processes, and tools to create a secure environment where everyone can thrive. Because after all, security has become a team sport.
Emerging Culture Around Cyber
You read that right. A cybersecurity in the workplace culture is emerging (or better, being cultivated) by leaders who understand the importance of having everyone on board — business, IT, and employees. Their job titles may vary but their mindset is shared. And that mindset embraces a responsibility towards creating the most secure environment humanly possible for the company. In essence, this shared ownership acknowledges and accepts a “boots on the ground” mentality in the daily battle against cyber threats. So, the question is: how are companies building this culture?
The expectation of employees and consultants to perform any given role in alignment with best security practices is a given. Nowadays, most employees are obligated to do so. Even so, how we talk — and think — about this obligation can determine if this culture permeates through the organization. Emphasizing the value of team, the successful culture shifts already witnessed in the industry are supported by stakeholders who successfully influence employees, using motivation rather than intimidation. Because let’s face the facts: if you want someone to do a job well, they must first want to do that job well. And what better way to motivate than providing a mission-driven reason to do their job well.
However, as Caroline Baldwin shares, detailing her coverage of a keynote panel at Infosecurity Europe 2018 in London, “The conversation about cybersecurity doesn’t stop once a company receives broad-level buy-in” according to Spencer Summons, Head of Information Risk & Security at Tullow Oil. The culture shift begins when people place equal concern on threats to systems as they do people. Similar to safety, “cyber” will only become top-of-mind when everyone is talking about, an important aspect of any culture.
It’s about introducing emotion into prevention. It has to be real for them, so we’ve been showing hacker demos and showing them what might happen if someone hacks into their machines, Summons shares.
An equally valuable component,
Pride is conducive to building a culture around cybersecurity, says Peter Gibbons, Chief Security Officer at Network Rail.
And as it turns out, pride can be cultivated through an alternative narrative, one that emphasizes the vulnerability of the end-user — people. As Gibbons reveals, accomplishing this requires workers to frame cybersecurity as a business problem rather than technical concern. After all, employees and consultants often choose to work for a company based on their mission. If that mission is supported by a healthy culture and buy-in across the enterprise, everyone wins.
Adopting this emerging “cybersecurity in the workplace culture” is open to every company, every team, and every employee. And the price of admission? A mindset shift and continuous training regime. Make it more about the humans at risk than the systems that fail. And most importantly, believe in the ability to never let the “user” down while they consume a product or service. There’s pride to be felt in responsibility.