The executive board must truly understand the security problem and be willing to invest in the right systems; the CISO must know how to improve security and implement security by design, so that security becomes a business enabler delivering competitive advantage; and the organisational culture must promote security awareness and customer safety because the organisation understands how important this is to its long-term survival.
“Security is everyone’s responsibility” has become the tagline of cyber security. It is quite reasonable, however, for anyone with limited cyber security knowledge to worry about identifying and blocking security problems.
So just how much is the average non-security employee responsible for the security of the organisation? And how can employees avoid being in the line of fire if they accidentally hit the wrong key?
The good news is that, in the past two years, security controls have come a long way, meaning organisations that have implemented all of the basic cyber hygiene standards are no longer being caught out by malware attacks such as Petya/NotPetya and WannaCry.
In fact, in the environments where they implement rapid software updates (patch management), use only supported operating systems, remove installation privileges from users, segment their network, backup their data and use the very latest artificial intelligence-driven anti-malware, the employees only have to focus on protecting against one thing: social engineering.
However, if you meet a lot of Isaca members and other security professionals, you will often hear that there are still too many organisations where the executives are reluctant to bring their security investments up to a realistic level.
At Isaca, we know that our security professionals, especially those with certifications, tend to keep up to date through their continuous professional education and the updated resources and guidance to which they have access.
Any organisation that still thinks it could be taken down by the actions of a single employee at any time is unlikely to be listening to its security professionals. Although the current cyber attack threat levels are very high, the reality is that all the successful attacks have occurred on organisations with substantial gaps in their basic security practices. These are gaps so large that the cyber criminals could drive a truck through them.
Read more from Computer Weekly’s Security Think Tank about security controls
Malware attacks such as WannaCry and NotPetya relied on using a buffet of basic exploits on each machine they infected. The malware was trying to find out if there were any security fundamentals that had been forgotten – and then exploit those gaps to create the damage.
Does that mean you can relax if you are in an organisation where the security basics are in place? Unfortunately not. Many cyber criminals have now turned phishing – the use of scam emails – and social engineering into an art form. The easiest way to gain money from an organisation is to convince legitimate, authorised users of a system to do illegitimate things.
As an example, some of the largest recent cyber frauds have used absolutely no malware whatsoever. Instead, they have simply tried to use social media and emails to persuade staff to make transactions that look legitimate, but are not.
It could be an urgent request to transfer money, or something that looks like a legitimate internal request to move funding. These are basic but often convincing tricks, and worryingly, they can get past even the best technical security.
So how can you tell the difference between working in an organisation where the security pressure is perhaps higher than it needs to be?
The simplest way is usually to look at the security training that is provided. It is a good sign if a company has easy and responsive ways to report any potential security threats. Effective training should focus around care in not disclosing confidential information and checking and verifying the validity of requests, especially if they are out of the ordinary.
If there is no security training, or the training is still indicating that a single click from any employee could take down the entire organisation, it might be worth looking for a position in an organisation with slightly more security resilience.