Cybersecurity: It’s All About the People

Writing in this piece, Eric Basu offers some lessons from the Anthem data security breach. His main piece of advice, summed up? Make every employee part of the cybersecurity team.

He explains the value of adopting an NSA- or bank-like corporate culture of cybersecurity sensitivity. Here is more of his advice, excerpted from his original article (link below).

Four cybersecurity scenarios to watch out for:

1. Employees showing their public Facebook accounts which disclose their complete name and date of birth could provide a cyber predator the tools to potentially obtain a social security number among other essential information to successfully infiltrate your company's business and personal accounts.

2. “Shadow wi-fi accounts” that show up in public places, such as a conference hall or hotel, prey on mobile devices set to connect to the nearest open network. Such seemingly reputable access points convince business travelers to unintentionally expose company information residing on their iPhone, iPad or laptop.

3. Passwords are tough to remember, so people write them down on a notebook or unencrypted file on their computer or phone. This common mistake opens their accounts to an attacker who needs to do just a minimal amount of work.

4. An employee who receives an email from a stranger or sees an ad on a legitimate website clicks on a link and instantly permeates malware throughout the company’s network. This isn't a malicious act: The teammate just didn't realize how harmful that one click could be.

Four ways to incorporate cybersecurity into your company culture:

1. Emphasize to your entire staff safe computer practices that go well beyond lists of inappropriate websites to surf during office hours.

2. Give the same care and concern to cyber-security activities for employees as you give to safety measures surrounding use of the office building after hours.

3. Train all employees on good cyber "hygiene" (i.e., how not to click on links in emails; how not to keep passwords in an open digital or physical medium, etc.).

4. Limit the administrative reach available to regular users. This requires a not-insignificant amount of employee process modification and change management, but is key for a company to manage its cyber risk.

These moves don't mean that organizations should ignore their network architecture, security patch programs, disaster recovery policies and threat-management system deployment.

These elements remain crucial. However, implementing security measures only through the IT department and failing to address the overall need for cybersecurity sensitivity as a core component of the company’s corporate culture is like locking the doors in your house but leaving the windows open to let the outside air in.


For the original piece, click here: