Security Think Tank: Changing attitudes to cyber is a team sport

Welcome to the new year, 2020, and I trust that you had a wonderful Christmas with your family and friends.

But what about the hackers – did they take a holiday break, did they have a great Christmas? One thing is for sure is that they, the hackers, had a wonderful Christmas, but it wasn’t with their family or friends, it was taking advantage of offices being closed and so, they hoped, they would have more undetected time to breach a company’s defences.

Could this new year be the year of 2020 vision for infosec? I believe so, but we need to get away from the traditionally painted picture of the hacker being a hooded script kiddie in their bedroom, hunched over a computer. Of course, such people still exist both in reality and in the minds of senior managers and board members, but the bigger threat comes from organised, industrial-scale hacking. 

This is not fear-mongering, but reality. Every company, be it big or small, that has an internet presence (including email) will be attacked at some time. As with physical security, the opportunist burglar is deterred by good security measures, such as ensuring windows are closed and locked when the premises are shut, that side gates are closed and locked and that no ladders or other items that would assist in gaining entry are left lying around. But while the opportunist thief may be deterred, the professional will find their way in if they feel the target is worth it.

Should someone forget to take a security action such as locking an office door, it is important that they know they can let security know without being reprimanded. A quiet, supportive and non-confrontational chat, perhaps over a coffee, will go a long way to help prevent future lapses. 

So what do I mean by infosec 2020 vision? It means ensuring that everyone in a company, from the very top (and that includes all board members) to the bottom understand that they have a part to play and, equally importantly, that if someone does something that is not right, that there won’t be any negative comebacks for admitting it, only positive support. 

An organisation will be more secure if people know they can admit to their mistakes when they make them. Along with this, if a person feels that something is not right or they come across something they don’t understand, such as receiving an email apparently from a supplier or partner company that has an unexpected attachment, they should be able to talk to their management and/or IT security (or the security group) knowing that, in doing so, they will receive supportive feedback, not a negative comeback.

To secure IT systems, be they in-house, outsourced or a combination, and the information that these systems contain is a complex task made worse (more interesting, perhaps?) by an ever-changing threat landscape. Given these circumstances, you cannot expect the majority of people in an organisation to grasp or understand all the nuances associated with keeping information completely safe. A blame culture not only doesn’t help – it will actually hinder.

So promote openness, and support that openness with regular education, poster campaigns and informal meetings. The odd tutorial aimed at helping people in the organisation to secure their home environment better given the spread of baby monitoring cameras, smart TVs, smart home hubs, and so on, will go down well and will, in turn, help to improve the security of the organisation – a win-win.