The CEO was, understandably, upset. For the third time in several weeks, his company had fallen victim to ransom ware. “We have GOT to do something to tighten up our cyber resilience!” he said.
As it turns out, the breech was traced back to a recalcitrant employee who, despite warnings from his IT department, persisted in using his laptop on an insecure Wi-fi in a particular coffee shop. To further complicate matters, this was not just any employee; it was the CEO himself.
As the decidedly analog Pogo once said, we have met the enemy and he is us. http://www.thisdayinquotes.com/2011/04/we-have-met-enemy-and-he-is-us.html
In my discipline of risk management, we work closely with CIOs, owners and other business leaders to identify and address the risks inherent in information systems operations. Over the past 3-4 years, we’ve seen considerable progress in the way companies- particularly more nimble companies- have ramped up their cyber resilience efforts in multifarious ways: implementing rigorous data hygiene, addressing storage vulnerabilities, tightening intellectual property and protections and developing systems response plans. As understanding of cyber resilience has evolved, more CIO’s are now taking a well-deserved and needed seat in the C-suite, advising CFO’s and CEO’s to make more proactive decisions about IS investments in the interest of risk management.
Yet even as business have gotten better about cleaning up their information systems’ vulnerabilities, the biggest vulnerability of all is the one you can’t exactly toss out: i.e., the humans that the systems are designed to serve. Even the most dedicated CEO’s can bring traits to the table (rushed, fatigued, not always keeping up with learning) that put them at risk of becoming a hacker’s unwitting best friend.
Nor are they the only ones to be concerned about. That millennial sipping coffee next to the CEO might be using a dedicated VPN, but may also be spilling secrets by talking too loud over his Bluetooth, or oversharing on social media. And we all know what Equifax was using for its password, right? https://www.forbes.com/sites/leemathews/2017/09/13/equifax-website-secured-by-the-worst-username-and-password-possible/#6ebba648457d
Regardless of our training or demographics, we all have our strengths, weaknesses, and blind spots. So what’s a CIO to do?
Play Where the Puck is Going
As advisors and consultants, our team tries to follow the advice of hockey great Wayne Gretzky and anticipate where the puck is going. In the case of cyber resilience, I think CIO’s would do well to aim at the human risk factor.
Mind the Gaps
Spend some time looking at the gaps in your cyber resilience system protocols. Self-evaluation is one tactic. One of our KA colleagues, Mike Benz, Director of IT at Kraus-Anderson Construction Company, has developed a self-evaluation tool based on the standards of the National Institute of Standards and Technology (NIST) designed specifically to help contractors evaluate their ability to identify, protect, detect, respond and recover from cyber events.
Benz notes that, “The tool suggests specific improvements in areas where the company has the biggest gaps, compared with industry averages and best practices. Each recommendation balances cost with risk reduction potential”
Probably one of the best investments you can make is identifying your users’ cyber resilience gaps and addressing these with training.
Cyber security providers such as Darktrace https://www.darktrace.com/ leverage powerful AI algorithms that mimic the human immune system’s defenses https://www.darktrace.com/technology/ to provide 24/7 monitoring of employee’s data use, flagging all problematic behavior to spot emerging threats that would otherwise go unnoticed.
As employees may have overlapping understandings of systems, cyber resilience is compromised with varying understanding. Online trainings can smooth out those sometimes wild swings in levels of understanding and help companies establish a level set point of cyber resilience competency among employees. Our agency maintains a client portal online training center that offers a series of 5 cyber risk courses that can be taken in an hour or less with documentation of completion. The trainings reveal gaps in understanding that can indicate to supervisors where further attention is needed.
Get Onboard with HR
Another opportunity for the CIO is to get embedded in the process of hiring new users. Just as companies maintain regular trainings relating to safety, discrimination, harassment and other vital standards, cyber resilience training can and should become baked into your employee onboarding, life cycle and exit protocols.
And, with a nod to your HR colleagues, consider bringing cyber closure to the exit interview. Offering last-chance amnesty for full disclosure of any competitive data that has been illicitly shared during the employee’s tenure could knock out 90 percent of post-termination issues before they emerge.
However sophisticated the learning curve for your team, cyber security events still rely on user error, manipulation and exploitation of bad habits. Now that you’ve cleaned up your systems, the opportunity for today’s CIO is in making proactive choices to anticipate where the puck is going; and to take steps to establish, elevate and even out a baseline of cyber resilience competencies among your users.
By Keith Burkhardt, Vice President, Kraus-Anderson Insurance
Originially posted on CIO Applications