To make information security truly an enterprise-wide effort, the director of New York's Office of Cyber Security and Critical Infrastructure Coordination has come up with resolutions for 2005 that create a foundation harder for hackers to crack.
"Integrating security into your daily business process should be one of the fundamental building blocks of your organization. Just like a car's sunroof, security will generally be more seamless and cost less if you build it in at the beginning then to retrofit it as an afterthought," said William F. Pelgrin at this month's Infosecurity New York conference. Instead, he advocates strengthening a company's security posture by increasing its ranks' resolve to consistently keep security in mind during their daily operations and strategic planning.
"It's about everyone making a consistent effort to not get compromised," Pelgrin added. Here's how each employee, from those in the CEO's office to the mailroom, can resolve to do his or her part:
- Recognize the relationship between physical and cybersecurity
-Realize cyberevents can have physical consequences.
-Help improve communication and cooperation between cybersecurity and homeland security entities.
- Don't be overwhelmed by the challenges faced in cybersecurity
-Break it up into digestible chunks.
-Just get started.
-Understand that one size does not fit all.
- Don't be afraid to admit to a cybersecurity incident
-Recognize 100% security does not exist and that when an attack occurs, do not engage in the "blame game."
-Remember, too, that it's only through sharing information on attacks that we can truly help each other be better prepared.
- Practice good cybersecurity principles
-Don't open e-mails from untrusted sources.
-Don't forward jokes/chain letters/photos received from unknown sources via e-mail.
-Don't divulge a password for any gift or goodie.
-Don't fall prey to phishing scams, which are becoming increasingly more sophisticated.
- Empower the information security officer
-Take cybersecurity seriously.
-Get personally involved. Hold periodic meetings with your ISO; regularly have your ISO brief the executive team on new cyberthreats; recognize staff who demonstrate responsible cybersecurity behavior; ensure that your ISO has reviewed and signed off in writing on new systems before production; have cybersecurity as a standing item at executive meetings.
- Be a role model for the next generation in good cybersecurity practices
-Practice what you preach and adhere to these cyberprinciples yourself -- ensure that you have a strong password; take responsibility to become knowledgeable about sound cybersecurity practices; encourage a culture that cybersecurity is everyone's responsibility; build cybersecurity issues into your presentations.
- Collaborate with others
-Work with the public and private sectors to enhance our collective security.
-Recognize you can't do it alone.
- Promote the idea that good cybersecurity is everyone's responsibility
-Ensure you understand your responsibility in using computing technology safely and securely.
-Recognize that the average home users' computer processing power today well surpasses what was previously available to only the largest corporations or government agencies.
-Don't assume that "someone else" is taking care of it (e.g. the IT department, government, etc)
- Promote National Cyber Security Awareness Month -- October 2005
-Develop a cybersecurity awareness campaign within your organization.
- Don't be afraid to challenge the status quo
-Question principles that were once core to good security practices. What was good 10, or even five, years ago may no long be what's good for cybersecurity today. For instance, employees were once told to never open an e-mail from someone they don't know -- this was a basic sound cybersecurity practice. But with the advent of spoofing, we can no longer rely solely on whether you know or think you know the sender. We need to question these principles to see if they still pass the test of time, and modify them when needed.
- Have a passion for cybersecurity
-This one speaks for itself, but it includes learning about threats, attacks and what you can do personally to prevent them.
One way to gauge if the security philosophy is sinking in is to test employees. "We'll have employees receive a phishing scam particular to what they do," Pelgrin said. "If they fall prey to it, they'll get a warm and fuzzy training session on what could have happened."