Four essential steps to achieve proper cyber hygiene
In today's world, your company's integrity hinges on protecting your data, and by extension your customer's data. That's why proper cyber hygiene is imperative. To execute this task, there are four steps to deal with both technological considerations and human factors that you should follow, to implement proper cyber hygiene and keep your organization secure:
- Continuous training for all employees – from janitor to intern, to consultant to CEO, no matter what job they have in the organization, all employees need to be included.
- Promoting a culture of global awareness throughout the organization.
- Updated security and patching on a regular basis.
- Implementing a stringent Zero Trust model.
Before we delve into the mechanics of the four steps in the implementation of cyber hygiene in your organization, I want you to fully understand the pivotal nature of human factors in any cybersecurity framework.
The human factors in proper cyber hygiene
The reason we're starting with the human factors, instead of the technological ones, is that if the human factors are not accounted for then all the security technology you might use is completely wasted.
It's convenient to ignore or bypass awkward or extended security, and if the people in your organization don't understand why the security protocols in place are necessary, then convenience will win out every time. In that case, even the most up-to-date security measures are wasted.
On the other hand, an engaged and informed workforce is a massive boost to any security endeavor, bringing the combined intelligence of your employees to bear on the problem of security and hunting down overlooked gaps in your defenses. Engaged people are the foundation of cybersecurity, so it's essential that we start by discussing how to engage them.
Step 1 – Continuous training for all employees
Training has to be open-ended, multifaceted, and varied in its methods to convey understanding and spark swift adaptation. Having multiple methods of continuous training empowers your employees to choose the option that suits them best.
Multiple methods are also critically important from both a morale perspective and a legal perspective. In terms of morale, the employee will feel more comfortable following their choice of training method and more satisfied by charting their own course. Legally, if the organization imposes a certain way of training for all employees, accusations of bias may arise where a person feels like they haven't been included.
In the end, the journey may be different for each and every person within an organization, but the end result will be the same. You're going to want to keep it relevant, interesting, and meaningful. I can't stress enough that appropriateness is everything when it comes to training, and a critical part of this step is knowing your audience.
We need to lean on our understanding of human psychology, and how different cohorts, typically segmented by age, view the world. Age-specific messaging has cascading effects for a person within an organization, and can help them understand why these practices need to become an immediate part of their habits to solidify your organization's cyber hygiene.
Know your audience for training – communicating with different generational cohorts
We live in a transitional age, where the cross-generational employee population is more common than ever. That's why when we look at continuous training, we have to consider the demography and lens through which different generations view the world.
This is a good training practice for any new information, but I've found that it's especially important in cybersecurity.
We find ourselves at an inflection point in the workplace, as this is the first time in history where we have at least four generations working side by side – Baby Boomers, Gen X, Millennials, and Gen Z, all with different views on life, work-life balance, problem solving, communication, learning, and social sharing. Each generation has grown up in a very different world when it comes to the usage of technology and how it interplayed with their lives. Their stances on privacy, sharing or oversharing information, how best to work, and how to maintain a good work-life balance all differ from each other.
Communication is key for effective leadership within an organization, so by extension it's important to know your audience when you're training. Part of that is keeping aware of how each generational cohort processes information and instruction differently. As you train different folks within your organization and steer them toward your cyber goals, you'll discover that their different styles inevitably influence their workflow.
Some of these differences are readily apparent if you regularly interact with different generational cohorts. Boomers value face-to-face interaction, old-fashioned phone calls, and long-form conversations that convey, in full detail, the important message and all the other pertinent information that they need to know.
Any other form of communication might be considered impersonal, if not rude, to this generation that values human interaction more than their successors.
Jumping over to the other end of the age groups, Millennials and Gen Z often scoff at phone calls or in-person meetings, especially if the information could have been transferred by some form of messaging. In fact, most younger people are jarred by phone calls, don't use landline phones, and have the ringer on their cell phones on silent most of the time.
These stereotypes don't always hold up, but they're a good starting point. Gen X are especially mixed, and depending on their personality and work style, can embody a mix of several generations' communication style. These are starting points, and if you find they don't hold true for an individual, then your approach needs to change to take that into account.
New ways of training versus old ways of training
The era of annual training events is over. In the past, companies would hold a one-day event either once a year (or in the best case once a quarter) where employees would be taught, lectured, and made aware of security measures. The training would also speed through attacks that the employees should be aware of, a litany of compliance regulations, and relevant protocol that would be put in place.
These events were big splashes where engaging speakers were brought in, hands-on activities were conducted, cutting edge videos were shown, catered lunches and snacks were served, and even maybe a bit of entertainment was provided to take the edge off. These full day fetes were viewed as "home runs" because they captured the employee's undivided attention, with the expectation that they would remember, in full detail, what went on that day and fully comply with every single detail that was shared in this one-stop training.
You've probably gathered why we've moved far beyond this approach. We are human, and we don't remember things well unless we remind ourselves of them often. Unless a person has continuous training around security, they will likely remember snippets or barely anything at all.
When a business has continuous training in place, it remains "top of mind" for the employees. As the training is reinforced it will become second nature, part of the background culture of the organization.
Cybersecurity is ever-changing, so it's only reasonable to conclude that frequent training is needed; but that training should be continuous, rather than staccato, and woven into ordinary workflows instead of seeming like an occasional drip of new responsibilities.
Information dumps versus incremental training
Training for cyber hygiene is complex and extensive. It's a lot to digest all at once. That's precisely why continuous training must reject the old way of doing things, where informational dumps would unload what your employees needed to know to do their job properly.
In my experience, information dumps lead to information overload in just the same way as antiquated annual training. Companies used to, and sometimes still do, overload their employees with everything they need to know about security, compliance, and protocol all at once – along with every possible scenario that might arise, all in one mighty lump of information. It often went with an even bigger handbook, and a phrase like "Here you go, employee, study this so you know it all, and every possible scenario that may come from it. Do not forget anything because everything is important." Clearly, this method sets nearly everyone up for failure.
I've found, and I'm sure you have too, that no employee is able to digest information of that magnitude and fully integrate the new material into their routine overnight. We can't fight nature, and that's why incremental training makes more sense; both from a time perspective and when taking into account the limits of the human ability to consume information.
Schedule training accordingly, and break it down into categories. Make each category meaningful in its own right, with relevant scenarios to explain the importance of the information you're sharing. In the end, that gives your employees a much greater chance of retaining essential information.
Universally applicable versus situationally relevant
Be vigilant in avoiding the fallacy that anything is universally applicable, and that training sessions can be universal as a result. Just because one person wholeheartedly believes that they've identified the best way to train employees, in a very cost- and time-effective way that trains many groups all at once, doesn't mean they're correct.
Picture a universal training session: a huge room with a thousand people in it, all from different disciplines, markets, and sectors. Up at the podium stands a speaker poised to give a very important talk about privacy, security, compliance, and real-world scenarios. The speaker begins to speak, delivering a broad-ranging conversation to cover a hodgepodge of dissimilar sectors, such as healthcare, finance, insurance, government, and every other industry.
Next, she spits out an alphabet soup of regulations with which the audience may or may not be familiar: HIPAA, SEC, EPA, and so on. Undoubtedly, there are scores of people that are already completely lost, or at best encountering content that they're woefully unfamiliar with, because it's far beyond their background. That universal training session has instead become an information nightmare that's going to be anything but effective.
In stark contrast to universal training is situationally relevant training. If you have a room full of people from the same background or industry, dealing with similar issues, regulations, and compliance concerns, you can deliver laser-focused training for that specific demographic. For example, the financial industry will have very specific compliance concerns that differ from healthcare: pension regulations, financial privacy laws, and a very different public perception of the industry to name a few.
You can keep attention and focus on these people's specific sector, discussing relevant information pertaining just to them. Privacy, compliance, and regulations can all be seamlessly covered to inspire meaning and lay the stakes for acquiring habits.
A very broad setting is a recipe for one to tune out from the get-go. It's important to get and keep the attention of someone you're training; their ability to find themselves in the stories you tell and find real relevance in the discussions that follow will build their capacity to achieve proper cyber hygiene.
Stage real-life scenarios
Security shouldn't just be a concept that is discussed, but a reality that is lived. That's why, for training purposes, simulating real-life scenarios can be greatly influential. Walk your team through what they should do when problems arise by using these simulations. Afterward, have the team dissect and discuss what went wrong as a group, and how "we" could have improved the outcome or the end result.
Stress the "we," as in "we are a group that supports each other through these critical moments." It may sound trite, but remember that working as a team is infinitely stronger than working alone.
Think about human physiology. If you make a fist without using your thumb, it has no strength. Just like the strength is in the hand as a whole, we are only as strong as our weakest link, and that weakest link can be any employee from any level within the organization.
Everyone has to be supported, and it's imperative that every team member operates as an integral and indispensable part of a collective unit. This lays the foundation for a globally aware culture, which is Step 2 in your quest toward achieving meaningful cyber hygiene.
Step 2 – Global awareness and culture for cyber hygiene
In an age of unprecedented interconnectivity and globalization, your organization has to reflect today's realities. We're in a competitive labor market, and getting and keeping quality talent is a constant challenge. It's sad but true: millions of jobs are left open because of the dearth of relevant skills among today's workforce, and this is especially the case in the field of cybersecurity.
Today's big corporate players prioritize company culture and promote purpose as a matter of necessity. These things were previously thought of as squishy and hard to define, but now they're recognized as more pivotal than ever to modern employees. Belonging and overall workplace satisfaction are essential components in any company's effectiveness and competitiveness.
We can look to any part of our lives, and wherever we feel appreciated, valued and heard we naturally feel more aligned, loyal and productive in that environment. By natural extension, we'll practice better cyber hygiene, too.
A globally aware culture that promotes cyber hygiene does so by promoting a positive environment, where constant dialogue and unfettered collaboration are key indicators of organizational health. As mentioned earlier, employees are seen as part of the solution instead of the problem, and are made aware of changes that are needed via relevant flows of communication.
It's very easy to point fingers at someone and call them the problem, rather than dig for the root cause of risky or unsafe behavior. Empower your employees to be part of the solution. Continuous training and awareness will keep the protocols fresh, and their minds sharp, but it's also essential in my experience to gather feedback and let information flow both ways.
In our cut-throat world, it's of utmost importance that your employees feel supported by the management team. They need to be aware that if they report a potential problem or misaligned behavior, it will be welcomed, not frowned upon for possibly "blowing a false whistle." The worst-case mindset for your employees is that if they stay quiet, and just do as they're told, they can't be held responsible for a problem. More often than not, this is the current case in most organizations when it comes to speaking up or reporting a problem.
I've found that transparency is the best sanitizer. Transparency is a key ingredient in a globally aware organization to preserve a stellar work environment for their employees. If you encourage feedback, and allow your employees to question what has been implemented, you may discover you haven't been asking the right questions. This new way of looking at things may uncover a faulty part of your security, which when fixed will strengthen your defenses throughout the organization. Your employees may have "eyes and ears" in areas that you may not be focused on – encouraging their feedback will likely help you find areas that need strengthening in your organization. Utilizing this most valuable resource, your employee, benefits you from a morale and security standpoint.
Building an inclusive workforce – diversity is at the heart of global awareness
When we think about diversity, we often hone in on obvious demographic indicators such as gender, age, culture, demographic, and socio-economic status. These are definitely important and should not be trivialized, but as a globally aware organization, you should frame diversity differently. For companies, demographic diversity boils down to diversity of thought, approach, and viewpoints. Diversity means having employees who view the world quite differently from one another because of the lenses of their background, upbringing, education, and a multitude of other factors that have shaped and molded them.
Think about a phenomenon we see far too often: A company entirely made up of people of a similar gender, age group, culture, race, demographic, or socio-economic status. This situation almost never improves organically, because recruiting through existing employees' social networks at monolithic organizations tends to reinforce this demographic disaster.
Without diversity, any organization will consistently yield remarkably narrow and irrelevant conclusions and attack problems in a very limited way, especially in their approach to security and privacy. How could it not? A monoculture is scientifically vulnerable to disease because of its lack of genetic diversity. Similarly, creating an echo chamber within organizations through limited demographic diversity leads to suboptimal outcomes, including woefully inadequate security.
The pitfalls of a demographic monoculture
Let's walk through two scenarios to better illustrate the difference between diverse and globally aware organizations, and those that are painfully stuck in the past.
For the first scenario, picture a group of 10 employees, all 40- and 50-year-old Caucasian men, all of whom have attended top Ivy League schools and come with strong business and finance experience. They all have their MBA, were raised in upper-middle- or upper-class households, played sports in college, are married with two to three kids, and have similar religious beliefs.
Before any serious business dialogue even begins, they have a chance to socialize for a little while, and quickly discover the immense number of similarities they have in common. Differences will be cast aside, and these jaw-dropping similarities are going to create a warm feeling of comfort and belonging in the room. Dissention and discomfort will be non-existent in this remarkably cookie-cutter crowd.
Imagine that this group is then presented with a topic to problem-solve. One person is appointed to lead the discussion, and to encourage collaboration, communication, and feedback. He gets up and starts the ball rolling, with the new colleagues to whom he has already bonded.
The die has been cast for this monoculture of men, and each one of them will behave as if they "belong to a club." In effect, they will create an echo chamber in which if one person makes his position clear, there will be little to no dissention from his other colleagues. As the building blocks of an idea are laid out, complete collaboration will take hold, with few alternatives.
Welcome to the world of a monoculture of people and ideas. As ideas are thrown out into the discussion, the nods and words of encouragement and agreement are seen and heard. If one disagrees, the nature of that group will lend itself to words like, "We're all on the same page." Rarely will someone rock the boat and propose a competing idea in such a bonded group of like-minded men.
Now, consider scenario two: Envision a room with 10 people that's teeming with diversity. This group is gender-balanced, from a breadth of cultures, a variety of socio-economic backgrounds, and a wide range of beliefs. This cohort is also racially and ethnically diverse, bringing together a plethora of educational backgrounds, personal hobbies, and career journeys.
It's the first scenario turned on its head, as the people in the room rapidly discover the immense number of differences they have with each other. Inevitably, those differences will be highlighted and even embraced, creating an inquisitive buzz and interest in the room.
If this diverse set of folks is presented with the same problem as the previous group, their radically different walks of life will encourage collaboration, communication, and especially feedback.
There's no "club" to belong to that could hold them back, and they instead get up and get the ball rolling when challenging situations arise. Because there's such a diverse group of people in the room, there will be a wealth of different positions, perspectives, viewpoints, even to the point of complete disagreement in the room at times. The richness of diversity of thought will provide entirely new ways of looking at challenges. Some viewpoints expressed or highlighted will be completely novel to other members of the group.
In my experience, between the two scenarios, there is only one option you want in your business. A diverse workplace coupled with a collaborative and communicative management approach yields diverse thoughts and solutions, and brings a wealth of information, experiences, and ideas to the table that you might never have otherwise considered.
Global awareness begins by leveraging diversity for better results. In cybersecurity, this is crucial in achieving a higher level of security within an organization. Diversity of thought and mind from wider demographics addresses challenges around security, whereas I've found homogenous groups often omit, miss, or entirely ignore them.
Communicate for a global world – advertising strategies are a good start
Communication in a global world is tricky when your ranks are teeming with diversity. That's why your communication strategy should piggy-back off of the foundational ideas in advertising. If you take a look at the advertising world, you'll see that advertisements are not a "one size fits all" model. Each advertisement is geared to its appropriate audience and demographic, to make it impactful and relatable to its target audience. Yes, creating multiple advertisements for the same object to appeal to a wide audience may be expensive, but as we've all experienced, it's needed to catch our eye. We each need to be able to attach ourselves to the object or idea in some fashion. If we can't, the advertisement will go right by us without implanting a need or connection to the item or idea. Communication without impact is basically the same as no communication at all.
To build the groundwork for sound cyber hygiene, every member of the targeted employee audience needs to feel that the message is relatable to them, talking to them, or needed by them, so that they become attached to the message in a meaningful way. We want to spur buy-in, in a similar way to how advertisers want to spur the desire to go out and buy a particular item. We want employees to accept and integrate the idea presented. This isn't a novel approach – advertisers caught on the need for personalization and relevancy a long time ago.
If, instead, we force conformity and order people to defy their natural instincts, we'll produce massive frustration instead. The toxicity of that frustration can lead to employees experiencing the feeling of not being valued by their organization. Going back to the problem with top-down mandates, employees begin to disengage, find themselves facing chronic dissatisfaction, and decide not to stick around in the long term, as their loyalty wanes. This creates significant issues in your organization and your cybersecurity.
We have to think critically about our communication patterns and employ a multifaceted approach to leverage the different mediums we have at our disposal. We have to cast a wide net to make our necessary protocols resonate with everyone at the organization. To get organization-wide buy-in, we have to make our ranks feel comfortable and stimulated, and familiar with what we need from them to create a cyber secure organization.
In my experience, in practice this means you're going to have to think about the employees you're targeting. Break them down into groups and segment them. Analyze how they like to learn and what they get excited about; dive deeper and examine what methods of learning might inspire higher levels of comfort and familiarity for each group. Find out what kind of messaging and delivery is appealing to each respective demographic. For example, when it comes to millennials, gamified learning or training is often a good tool; think about making that one of the methods you make available to them.
Pay attention to the details that define your employees. Take the time to get to know them, show interest in their work, and understand who they are as people. Celebrate their birthdays, and look them in the eye as you talk to them; even that one moment of full focus is meaningful.
In turn, they will feel valued, and that happy, cohesive, and loyal atmosphere will set the stage for success across your organization both from a human and a security standpoint. When people are valued and feel integrated into a larger collective, loyalty naturally follows. If you don't seek to build that connection, if people feel taken advantage of or dismissed, they could express their grievances with actions and that negativity can eventually undermine organizations.
Transitioning to technical underpinnings of proper cyber hygiene
Now that we've thoroughly reviewed the organizational dynamics that are necessary for proper cyber hygiene, we can move on to the essential technical considerations of Step 3 and Step 4. Cyber dangers remain persistent, and we must have the right technological foundations and security protocols to keep our organizations safe.
Always recall that these technologies and protocols don't exist in a vacuum. They are built, operated, and breached by humans. A human-centric approach to cybersecurity should always be at the forefront of proper cyber hygiene. If you ignore human factors, you do so at your own peril – don't expect good results without viewing everything through the lens of our shared humanity.
The rational basis for framing cyber hygiene as a human-powered endeavor is straightforward. Humans remain the weakest link in the security chain, and simultaneously the problem and the solution. Don't forget that even while I'm discussing technical specifications and protocols, human beings remain front and center of any step that solidifies good cyber hygiene.
Step 3 – Updated security and patching
To begin Step 3, let's talk about a simple concept that might seem a little obvious to some, but is in fact often overlooked by cybersecurity professionals around the world. It's common sense to keep your systems updated and patched at all times, but you would be surprised how many businesses and organizations fail to do exactly that.
It's crucial for an organization to have up-to-date security and patching throughout their environment, which inevitably means running up-to-date operating systems (OSs). This can be a daunting task for big organizations that don't have a good handle on every single device they're currently operating. Nevertheless, this is something you can't ignore. If you're not running a current OS, you're already setting the stage for eventual disaster.
Think about what happens when a new patch becomes available, and you need to implement that patch throughout your organization. When you take on that monumental task, you're operating under the assumption that your OSs are the latest versions available, and are therefore supported by the manufacturer. If you're running old OSs instead, they won't be supported and no patches will be created for ongoing security issues. This is always, in my experience, a one-way ticket to cybersecurity failure. In sum, please run updated OSs at all times if you want to patch effectively, and have proper cyber hygiene overall. Period.
Averting a crisis – updating is everything
You might be wondering why there are so many high-profile cyber incidents in today's world. Even with billions of dollars spent on cybersecurity yearly, let's talk about just why successful data breaches are so common. Threats have clearly proliferated; we've seen so many Fortune 100 companies that fall victim to massive breaches that we've grown numb to them. But there's another piece to this puzzle. Looking from the outside, one would think that these companies that were breached would naturally have the latest and greatest security, with little or no possibility for a breach. Clearly this is not the case as many companies ignore their obvious security weaknesses.
For instance, you might not know that the big Equifax hack that exposed 143 million customers' personal data to unknown cybercriminals could have been entirely avoided (https://www.cnet.com/news/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed/). It turns out that the company was using out-of-date software with a known security weakness.
You might be pondering: Why didn't Equifax, and other major corporations that fell victim to similar data breaches, stay up to date on their security and patching?
It would be reasonable to assume that they would protect themselves and their customer's data, but evidently they utterly failed in that endeavor. In my opinion, we can blame both technical and organizational dynamics trickling down from management, at that company and many, many others.
A cognizant C-suite – management that comprehends security and patching trickles down
Bringing the human factors back in, let's talk about the inextricable connection between updated security and patching and organizations that practice true cyber hygiene. A model organization would have top executives in place, schooled in the importance of having cybersecurity teams, and who work around the clock when vulnerabilities arise.
If there exist in your organization paths for attackers to breach your internal systems and access sensitive data, you're already making your bed and setting yourself up for a cyber incident where you'll have to lie in it. One effective solution is to implement the safer practice of storing that data on computers disconnected – or "air-gapped" – from the internet.
Unfortunately, when senior management and executives at companies aren't educated enough around these issues and aren't the most tech-savvy, they often lack understanding of what's at stake. More importantly, they don't know how to quickly protect the valuable information that's been entrusted to them by their company and their customers. Cognizance of what's at stake at the top of the organization ultimately determines the level of security that can be achieved organization-wide.
The need for proactive and reactive security posture
It's pivotal that the entire team, not just management, practices and promotes a security posture that's both proactive and reactive, by understanding the risks and problems that occur if and when employees create paths for an attacker.
You have to be proactive in the sense that you have to think ahead and strategically plan for threats that may be coming around the bend even before they unfold.
Additionally, you have to be reactive as you have to respond as quickly as possible to any breaches, to contain the damage. This mixed posture is an essential ingredient in cybersecurity that you'll see me return to throughout the book.
The need for a proactive and reactive security posture is making waves throughout the cybersecurity world. Today, there are many corporations that are acutely aware of the need to better integrate development and operations in a rapidly changing cyber landscape.
Proactively, SecDevOps (a term that refers to united security, development, and operations when they work together toward a common goal) marries secure development and deployment, allowing for radical simplification of security patching and updates. This is quickly becoming the new norm among many large companies, who want to strike a better balance between efficiency and security.
Reactively, there are tools such as AI that can help us figure out when something isn't behaving as expected, and swiftly kill any possibility of a breach occurring, or spinning out of control when it does.
The cost of a breach – the stakes are always high
Let's take a moment to consider the staggering cost of a data breach. The Ponemon Institute found that the global average cost of a data breach is around $3.62 million dollars, and that was back in 2017. Lately, some breaches are costing organizations many times that (https://digitalguardian.com/blog/whats-cost-data-breach-2019). I will note here that it's important in my experience for organizations to purchase cyber insurance. The kind of breach and amount covered by the policy will vary by organization, but I believe it is a must-have for all organizations in this day and age. It won't mitigate the damage of a breach, but it is a tool that can help soften the blow financially.
The costs of breaches tend to be much higher in the industrialized world, where regulatory fines are higher and the cost of downtime can devastate a company's bottom line. Nevertheless, wherever breaches happen, they tend to be very costly and cause reputational fallout that reverberates for years to come.
Transitioning to Zero Trust
Now that we're moving on to Step 4, you might be thinking that you can confidently approach all of the milestones that I've laid out thus far. I have news for you: if you don't have a Zero Trust model, proper cyber hygiene is always going to be a millstone around the neck of your organization.
I want to paint a clear picture of what having a Zero Trust model looks like and why you need it to fully implement proper cyber hygiene. You can have superb training, be the very archetype of a globally aware organization, and strictly adhere to best practices in updating your security and implemented necessary patching – but it could all fall apart spectacularly without having a Zero Trust model.
Step 4 – Implementing a Zero Trust model
Let's start with the basics: Zero Trust is a security theory based on the belief that organizations should not automatically give access to or trust anything inside or outside of its perimeter. The organization should instead verify everything trying to connect to its systems before granting access.
Zero Trust means, as a first step, cutting off all access. You cannot trust anyone without the proper verification that lets the network know who they are. This policy of no access whatsoever extends to machines, IP addresses, and so on, until one is a known entity and can be properly authorized.
The Zero Trust model of cybersecurity highlights the real need for proper identity management. In the past, organizations would only focus on protecting and defending their perimeter. There was a broad understanding that everyone was safe within the confines of their organization – never taking into consideration the worry of insider threats that could open them up to breaches. Therefore, if a hacker or bad actor was already inside the perimeter, further internal access was readily granted. The focus was on protecting the perimeter of the business to keep the data safe.
It was common to think that the enemy would be at the walls, trying to breach the perimeter, but the employees inside the perimeter would be perfectly safe and fine because they are employees of the organization.
Over time, cybersecurity leaders and experts highlighted many extreme data breaches and analyzed the weaknesses behind them. They found that these breaches occurred because hackers who were able to get access into the corporation were then easily able to move throughout the internal system, and gain access to the information they desired. Their access was limitless because they became trusted once they got inside the perimeter. Once they get in, they can do a lot of damage.
Zero Trust protects an organization from these types of attacks, as identity is key not only for safeguarding the perimeter of the organization, but also internally. A lockdown on information is instituted, where access is only granted to the data if the proper identity protocol is followed each and every time the data is accessed. It's no longer the case that if you have access to one area, you've been handed the keys to the kingdom. That's why carrying out a Zero Trust policy is a critical piece of the puzzle in your quest to achieve proper cyber hygiene.
Zero Trust, insider threats, and attacks
Understanding and combating insider threats and attacks go hand-in-hand with implementing proper cyber hygiene. This is a part of the security culture that needs to be embraced by your organization. Streamlining your security across your organization is critical. Effective teamwork in this area is about cohesiveness, respect from management to your employees and from them to their management.
When new security protocols are being implemented into your organization, explain to your employees why they're needed and consistently make them part of the solution. Employees need to feel valued, heard, and supported by their management. A security culture that's felt and lived by all in the organization will cut the numbers of insider threats by leaps and bounds, if done correctly. To really put this plan into motion, however, you need to understand the different kinds of insider threats.
Malicious and non-malicious insider threats/attacks
There are two different types of insider threats or attacks. Malicious attacks are perpetrated by either an opportunistic employee, or a disgruntled employee.
Malicious attacks are identified (by Shaw 2005) as follows:
Opportunistic employees:
- Are motivated by their personal, selfish desires around money or opportunity
- Can be any gender
- Have access across the organization, which could be physical, digital, or both
- Have the ability to rationalize the illicit act (moral rationalization)
- Highly technically skilled
- Suffered a recent (past 6 months) adverse event, at work or in their personal life
The best way to combat the threat of opportunistic employees is as follows:
- Position rotation and cross-training
- Mandatory vacation policies
- Regular audits
- Visible monitoring
- Transparent and rapid sanctions
Disgruntled employees:
- Are motivated by ego
- Are more likely to be male
- Are the "lord of their fiefdom," exerting great personal control over their sphere of work
- Have an overblown sense of entitlement
- Display a history of negative social and personal behaviors, often requiring intervention from management
- Have a lack of social skills, or exhibit strong social isolation
- Were part of a recent inciting incident, in which they lost face or power, which they consider an embarrassment
Combat disgruntled employees as follows:
- Firm controls on who can and cannot access different areas of business
- Clear role boundaries that limit responsibility creep
- Cross-functional teams
- Management training to recognize problematic behavioral changes
- Robust and automatic post-termination protocols to remove access from terminated employees
A Zero Trust model covers many of the necessary protocols to protect from a malicious insider threat. As an important component of proper cyber hygiene, this kind of threat can be minimized or even eliminated.
A non-malicious insider threat can manifest itself in a number of ways, the first being the oblivious employee – one who is oblivious to security protocols and security awareness in the organization. We cover the risky behavior and common mistakes these insider threats can make extensively in Chapter 2, How Risky Behavior Leads to Data Breaches, and discuss several methods your company can put into place to mitigate these risks.
This brings us back to continuous training and global awareness in an organization – keeping security and cyber hygiene at the forefront of your employees' minds. Always make your employees feel supported by their management team. Uncertainty yields a lack of decisiveness, which then leads to mistakes or sloppiness around security. When an employee feels supported by their management, they're more likely to go to them with a question or problem, and take proper action when the need arises.
The dangers of social engineering
Another important identifying type of non-malicious insider threat is an employee who can be easily socially engineered. You may think that it's hard to do, especially to a senior executive in an organization.
Imagine a criminal, Xander, wants to gain access to a secure part of a building where credentials and identity are taken very seriously. Xander does not have the proper identity or credentials. If Xander still tries to gain access, even though he does not have the proper credentials, he will be refused entry. The system works, right?
Imagine another criminal, Yvette, also attempting to gain access to the same environment without proper identity or credentials. Yvette, however, understands that social engineering may be her way in, by preying on the weakest link in the security chain – the human. Yvette did her homework and found out that someone in that secure environment they want to gain access to is very pregnant. Yvette approaches the secure environment with bags of baby presents looped on both arms, carrying a huge cake for the "surprise baby shower" that someone in the office is supposedly throwing for their pregnant colleague. Doors fly open; people even hold doors for Yvette that typically need specialized card access. How can this happen in a secure environment where credentials are needed for access, but aren't present upon entry?
In this case, access was granted because of a well-played social engineering technique. It's simple to identify baby gifts and a huge cake as a celebration. This is something most people are fond of and like to be part of when they can. Since the employees know they have a pregnant colleague, there was no question in their minds about whether this celebration was indeed truly happening. The physical components of this celebration were present, so their minds file Yvette away as "allowed," since she fits the profile of someone belonging to a celebration that it makes sense to be occurring.
Yvette was smart enough to be laden down with gifts and a big cake – thus utilizing another social engineering technique, of hoping for a "good Samaritan" to hold the door, being distracted by the gifts and cake and not requesting the proper credentials for entry, since Yvette's hands were occupied. A bystander watching this exchange would rationalize that Yvette was "allowed" to be here, because why else would she be carrying presents and a cake? I'm a good citizen and want to be part of this celebration, and that cake looks soooo good.
Social engineering appeals to human behaviors by making someone believe an action or circumstance is taking place by utilizing an element, props, distractions, tricking techniques, or bogus credentials to help someone believe that what they are seeing or hearing is true.
Zero Trust in this case would also help protect the organization, with access only allowed with proper credentials, both technical and physical. A cake and presents aren't proper credentials for access. Pausing, and not getting caught up in a situation, but focusing on real, known technical and physical credentials will curtail social engineering techniques from putting your employees and organization at risk.
Slow down the situation and have protocols in place, to educate your employees and protect them from social engineering. When it comes to non-malicious assistance to malicious attacks, your employees aren't actively trying to hurt the organization; often times, they're unaware and ill-trained in ways to help protect themselves and the organization.