Recent security attacks signal the need for a new organizational culture that bridges cybersecurity and business operations.
If we learned anything from the Equifax hack that affected 143 million people, it’s that the CEO (along with the rest of the C-suite) needs to be concerned as much about cybersecurity as the chief information security officer. More organizations realize they need to better integrate security practices into their business operations to help combat the increasingly complex threats attacking their networks — and their brand reputations. This shift has given rise to the concept of the cybersecurity culture, in which all users, from entry-level personnel to executive leadership, are responsible for helping maintain the integrity of data assets.
WHERE THREATS ORIGINATE
Wade Baker, an associate professor of integrated security and a cybersecurity researcher in Virginia Tech’s Online Master of Information Technology program, describes today’s breed of cybersecurity threats as falling into four categories:
- Insiders, either employees of the company or employees of trusted partners and contractors.
- Cybercriminals, the people who send out spam and phishing emails to gain entry to the corporate networks.
- Cyberespionage, including nation against nation, nation against company and even company against company, with the intent of stealing intellectual property or other confidential information.
- Activists, people who use the internet to launch a protest or deface websites of organizations they oppose.
That’s a wide swath. What makes fighting the bad guys a “whole company issue,” says Baker, is that everybody’s a target. “Take a phishing email, which is used in cybercriminal activity and cyberespionage campaigns. If the employee clicks on it, then their computer is infected, and it spreads from there to compromise other computers and servers throughout the network.”
DEVELOPING THE CYBERSECURITY CULTURE
Smart companies have learned that helping employees understand they’re part of the security picture is much more effective than, for example, making them sit through an annual slideshow about security. That practice isn’t going to change behavior, Baker insists.
Baker, who for many years led development of Verizon’s annual Data Breach Investigations Report, highlights a specific data point that surfaced in that research. “When you look at how data breaches are detected, what has found more breaches than intrusion-detection systems were employees happening to notice things that were suspicious [and] then investigated,” he says.
“If you can help employees feel like [they’re] part of the defense of the organization … you get more buy-in and more of a security culture.”
As one way to involve employees, Baker advises adding gaming elements in training to make it more engaging.
One example: to stop “tailgating” — the practice of one badged person allowing others to follow right behind when going through a locked door (a physical security data breach) — “gamify it a little bit and say, ‘We’re going to be walking through the building and someone will try to tailgate you, and you’ll get $100 if you challenge them.’ ” That changes the conversation, he explains, from “I’m challenging you because I don’t trust you and don’t like you and I’m a jerk,” to, “Hey I’m just trying to win $100.” “Everybody has that shared understanding,” he says.
Retired U.S. Navy Rear Admiral David Simpson, who will be instructing Virginia Tech students in a course on cybersecurity risk in the spring, advises “judicious deployment of ‘red teams.’ ”
”These are third-party or in-house experts who play the role of white-hat hackers to uncover ways systems and services in the company can be compromised [by] extracting data, denying availability of critical services or “replacing truth with an agenda that would be harmful.”
The reason Simpson likes the red team approach is that it helps “capture the attention of your various divisions in a language they understand: ‘You couldn’t get the car off the assembly line for three days because you lost control of your robotic arms? Hey, I understand that. No cars off the assembly line. Really bad.’”
When that’s the lesson, he adds, nobody needs to be a cyber expert to know they have a responsibility to mitigate such potential failures.
Virginia Tech’s Online Master of Information Technology program is offered jointly by the College of Engineering and the Pamplin College of Business. Ranked by U.S. News & World Report as the No. 2 “Best Online Graduate Computer Information Technology Programs” the past four years.