The Realities of Cybersecurity
By Doug Mullarkey, CIO, First Choice Loan Services Inc.
One would think that with all of the risk associated with cybersecurity, companies would do “whatever it takes” to ensure security. In speaking with industry peers at conferences and technology events, I am surprised to hear that many business leaders do not want to make the sacrifices to be secure. I like to compare cybersecurity to weight loss; being secure is like wanting to lose 10 pounds. Everyone (myself included) wants to lose 10 pounds, but doing the hard work to lose those 10 pounds takes effort and sacrifice, and only a few can really do what it takes to make that happen. I like to apply that analogy to cybersecurity. Everyone wants to be secure, but few truly put forth the effort to be secure. It’s our job as Information Technology (IT) leaders to make the strong case to the business and “close the deal” to ensure that the proper funding and resources are obtained, and most importantly that the business truly buys in. This is a huge challenge for small to midsized organizations that are not accustomed to strong controls. Larger organizations have the controls in place.
I definitely hear about resistance to doing things a new way and securely from peers all the time. The avoidance of change itself is often the root cause of anxiety and not the actual cybersecurity initiative. The following are a few examples of business resistance to cybersecurity initiatives seen industry-wide.
• Blocking Third Party Email–This is how data leaves the company and viruses get in–bypassing email filtering and controls.
• Blocking External Media like USB and CD-ROM-This too is how data leaves the company and viruses get in–bypassing controls.
• Blocking Non-Corporate Wireless–Again, a back door in and out of the corporate environment.
• Rogue Offices–Offices that do not have the proper controls are a huge corporate security risk.
• User Accounts with Admin Rights–This is a big one. Many employees want local admin rights perform tasks requiring elevated system rights.
The goal of cybersecurity is not to change the way the business functions, but to make things more secure
Malware and viruses can easily propagate through the machine and the network using an account with elevated rights.
• Blocking Non-Corporate Application Installs–Nobody needs WeatherBug. Sorry. Application white-listing helps prevent malware from being installed.
• Secure Mobile Devices–If you want to get email on a phone, data must be encrypted and the device must be password protected.
• Strong Passwords–abc123 is not a strong password.
• Folder Restrictions–Ensuring employees have rights to just what they need helps prevent the spread of ransomware.
• Managing Social Media –Policies that define what can and can’t be posted by employees. No, you shouldn’t post a photo from your Game of Thrones script on Snapchat.
• Managing Physical Security–Lock the doors! Follow a clean-desk policy.
• Web Filtering–No, you can’t gamble online using company resources.
How to “Make The Sale” and Get Buy-In
Our job as IT leaders is to develop services to enable the business while increasing security. When one application or process is deemed insecure, it’s IT’s job to create and build a new way of doing that job or function and “sell” it to the business. It’s best to start at the top.
Start at the top. Explain to your Board the risks associated with cybersecurity, how to mitigate those risks and create a road map and business case for security initiatives. Everything starts at the top, and board approval will help drive security initiatives. Board of Directors are very focused on cybersecurity and compliance and will gladly support initiatives that keep the negative publicity away.
Cybersecurity and Compliance
Cybersecurity concerns are not only technology related but also bridge the gap with compliance. “Nobody” cares about cybersecurity until a breach has occurred or until examiners and regulators are onsite doing their audit and exam. Compliance and cybersecurity go hand-in-hand and a strong relationship with compliance helps drive the business acceptance of new policies and procedures.
Policies and Procedures
Board approved policies and procedures that detail the crucial “do’s and don’ts” are the cornerstone of any cybersecurity program. It should be built on industry standards such as NIST or ISO 27001 to name two. It is always great to refer the policy when a questionable request comes into IT. Policies can be used as a “bully pulpit”.
Formal employee training goes a long way towards allowing staff to understand the risks. Training helps explain the “why’s” to employees who are not tech savvy or simply don’t understand why we can’t do things the old way. Our employees are our greatest strength and can be our greatest weakness. When an employee does something wrong, it’s not due to malicious intent, but because of not knowing. Employee signature of new policies allows for the enforcement of new policies.
Gradual implementation of new policies will allow employees to ease into a new way of doing things. Culture change is a gradual process that improves over time.
To conclude, the goal of cybersecurity is not to change the way the business functions, but to make things more secure. Company resources belong to the company and are tools for the business to function. As technology leaders, we need to get buy-in from our Board of Directors and create a culture change that is security-centric. If a process or tool is eliminated as being insecure, a more secure method must replace it. At the end of the day, cybersecurity is not just an IT concern, it’s an “everyone” concern, and we all need to work together to embrace security.