This week, we have a guest post from NTT Security’s new Chief Information Security Officer, Andrew Barber, on the importance of shared responsibility.
Today marks the start of Cyber Security Month, a global awareness campaign that promotes cybersecurity among citizens and organizations about the importance of information security and highlights the simple steps that can be taken to protect their data, whether personal, financial and/or professional. The campaign’s general message is that security is a shared responsibility.
It’s an important message – one that NTT Security is passionate about promoting. Security is everyone’s responsibility, as my colleague Jon Heimerl explains here. As he points out, the importance of security awareness cannot be understated and management needs to emphasize the significance of efforts to promote it across the organization. This means more than just providing PowerPoint slides or training videos. All employees have a role to play in securing their organization’s data. Cybersecurity can’t and shouldn’t be left to the IT department.
Why? Because end-users are the biggest threat. According to a recent report, insider threats account for nearly 75% of security breach incidents. Of course, not all insider threats are deliberate. Research from our Global Threat Intelligence Center (GTIC) indicates that only about 25% of insider breaches, for which NTT Security has been involved with incident response engagements, has been related to overtly hostile activity – an inside attacker stealing corporate resources or information. The remaining 75% of insider activity has been either accidental, or related to activity better classified as negligent, or perhaps “not compliant with corporate policy”.
Instilling a security-minded culture is a critical aspect of mitigating insider threat risk. Equally critical is assigning personal responsibility for protecting company data, as well as determining an organization’s risk profile. Together, they will contribute to a stronger security posture.
As Cyber Security Month states, everyone should practice basic cyber hygiene. Likewise, organizations should put the basics in place as part of a comprehensive approach to cybersecurity.
Here are some security measures that every business should look to take:
- Improve internal knowledge and awareness of data security among employees, and highlight the importance and implications of what people do when accessing and using corporate data. This requires some exemplary management skills and needs to start with a solid security policy. Tailor security policies to focus on weak points as well as key areas such as data encryption, mobile working, clean desk practices and acceptable usage.
- Understand that this is not just technology, but people and processes too. When enforcing a formal security policy, communicate it to all staff. Many businesses will already have awareness programs and policies in place but often the methods of communication are not effective enough. Communication techniques must enable awareness to be applied practically and initiatives and policies should address employees’ attitudes and intentions, making them willing participants. Several critical success factors are listed here.
- Perform regular assessments of employees’ cyber readiness in the form of penetration testing and simulated phishing/malware attacks. This will enable businesses to measure the effectiveness of their training and awareness programs.
- Completely secure all critical data by implementing the appropriate controls to protect, detect and respond to potential threats. The explosive growth of smart devices and the commercial application of the Internet of Things (IoT) means that there are an ever increasing number of endpoints that produce and consume corporate data. Therefore, don’t overlook the endpoint. Advice on how to close potential vulnerabilities can be read here.
- Consider working with a Managed Security Services (MSS) provider like NTT Security to proactively protect an organization against multiple, complex security threats, around the clock. MSS also addresses the lack of internal resource to keep up with the growing threats. Some experts argue it’s no longer possible for many organizations to tackle all aspects of cybersecurity in-house. According to the 2017 Global Information Security Workforce Study, there will be shortfall of 1.8 million information security workers by 2022.
- Implement an incident response plan to minimize impact and costs should a breach occur. There’s little organizations can do in the long-run to stop a determined attacker but, with a well-structured, efficient incident response plan, they can contain a breach and limit its damage – and they do not have to wait until an incident to determine how to handle one.
We will be publishing more advice throughout Cyber Security Month, so check back soon.