How To Make Cybersecurity More Approachable
By Elena Kvochko
Today, security knowledge can make or break a career. While industries have evolved from awareness to implementation and specific guidelines, there are still a lot of misconceptions. Not understanding the inner workings of technology is no longer an option for executives. We all need to adopt a new mindset and accept that security is not optional or an afterthought.
It has to be embedded into the company’s culture. Cybersecurity has changed our economy, politics, markets, and our lives. But many businesses have failed to protect their customers. There is a misunderstanding of how to conduct business securely and truly deliver on the promises to customers.
The key to resolving this issue is to make cybersecurity more approachable.
One of the first steps towards the solution is demystifying the notion that “computer scientists are geniuses and hold the answers.” You don’t have to be in a technical job to be aware.
The reason breaches are rampant and why executives feel helpless when dealing with them is that they have to rely on products and services that they are not familiar with. The architecture, implementations and configurations contain errors. Those who are focused enough can often find these errors that were overlooked and neglected. As overhead costs in security rise along with the duplication of efforts, and proliferation of tools, companies believe there is not much they can do to resolve their cybersecurity issues. Instead, they are accepting that breaches are part of modern business.
Nearly everything we do generates data, and data that attackers are after. While full-proof security may not be achievable, there are significant steps companies and individuals can take to make themselves a harder target. Large organizations have to create customized security programs using a combination of tools and employees. Smaller companies must ensure proper configurations of the infrastructure they rely on.
Measure Security Culture
Company culture is another crucial part of a strong cybersecurity system. Organizations spend significant budgets to buy security tools. However, the human element often poses a risk to companies if employees are not alert on how to use cyberspace responsibly and ethically. While automated controls have filtered many of the current threats, the human element is still a big part of the solution to prevent cybercrime. Leaders need to invest in a culture that acknowledges and rewards responsibility over individuality. Misuse of information, unsanctioned copying of sensitive data internally and externally, sharing or weak passwords, and inability to detect a sophisticated phishing email, are some of the factors contributing to data breaches caused by non-intentional insiders.
Skipping steps around information record management processes that are perceived as obstructive and bureaucratic could lead to a data leakage. Another threat could involve misuse of access, such as sharing information without proper governance processes or security protections (i.e. encrypted files) to speed up a process.
On the technical side of cybersecurity, due to pressure to release products quickly, lack of adequate expertise or motivation, a developer might release an “unsecure” product without proper configuration to the public, bugs, undesirable functionality, or any other vulnerability. For instance, a developer is desperate to make code work for a public facing website, and since he/she finds it easier to debug by printing error values than to use a debugger; he/she makes a habit of doing so. The next release comes out, and the code with the print statements of the error values gets deployed. It’s just a matter of time before a user hits that error and may be able to get more information. The level of danger this poses means that an attacker can also get details about the infrastructure, versions of products used, and other sensitive information. It is estimated that around 12% of breaches were caused by misconfiguration of products and infrastructure, 8% were due to a programming error, and 4% due to a malfunction.
While training and constant reminders might improve this type of behavior, a deep culture change is required to prevent behavior like this. Secure-by-design practices ought to be implemented to reduce the amount of vulnerabilities that are deployed.
The same way technical security measures are benchmarked, tested, outlined, so should information security culture measures to increase adherence overtime between the different actors within an organization.
Promote A New Career
Cybersecurity as a career should be promoted in colleges, universities and even high schools and middle schools to increase awareness of the growing demand in the field. Organizations should also look to invest in their own workforce. By investing in an employee’s education in cybersecurity, companies will have the ability to protect their data in-house while encouraging others to join the cybersecurity effort. Focusing on training employees and promoting cybersecurity as a career can bridge the skills gap and protect businesses everywhere.
Both security and non-security professionals need to be encouraged to be innovative. Innovation is key to maintaining a strong level of security. Innovation is a process, a culture, and methodology in which an organization that is dedicated to innovate executes it like a scientific method. Organizations that are focusing on innovation should not restrict themselves to believing that a single team is in charge of it. A culture that empowers and rewards employees to follow their ideas will lead to innovation. Training employees, allowing them to be creative, and rewarding them for their advances and good ideas will encourage innovation.