Did you know that as per a globally leading research, 95% of cyber security breaches are due to human error? On top of that, only 38% of global organizations state that they are prepared to handle a sophisticated cyber attack. And worse, as much as 54% of companies say they have experienced one or more attacks in the last 12 months—this number rises every month. In lieu to this, cyber security (and cyber security awareness) are critical to your survival in an industry dominated by growing virtual crime, writes Dharmesh B. Rathod, Independent IT & Cyber Security Strategist, Architect & Adviser.
We are witnessing the most challenging and interesting phase of global industry currently. Big organizations globally have witnessed rapid and progressive business expansions since last few decades and continue to grow towards aiming for greater goals for coming times. As we excel towards business excellence and embrace digitalization, more and more of our business functions and processes are getting dependent on information technology domain, thus resulting into huge load of digital data.
With a very heavy past of industrial revolutions, paradigm shift in terms of automation across all industry segments and the way next generations are poised to witness the technology drift, it certainly makes sense for all of us to understand the imperatives with adverse impacts as well. In the context of Information Technology, we would in this article further experience the overall impact of Cyber Security, a domain that at times appears to be always seen as if on Big Brother mode when any prospects of IT are being talked about or worked upon.
While such dependency on digital data is evident, it calls for adequate protection of data and the way it has to be handled, maintained and sustained in a secured way. I have had served major global business houses as their Group CISO (Chief Information Security Officer) in my past tenure and have experienced varied cultures when dealing with the adoption of, or taming cyber security for the organization. I have led the journey of Cyber Security in close conjunction with CEOs, Group CIOs, business CIOs and entire IT teams across all businesses.
Talking about the supply chain industry, I learnt the mammoth quantum of collaborative multi-way engagements between companies, partners, OEMs, authorities, etc. This fuels up making the ecosystem much more extended beyond the source organization(s) and hence the cascading effect over to all service functions like IT. Imperatively, Cyber Security also finds its way almost boundless when we take about big enterprises through such enormous supply chain ecosystems and makes the complexity at times challenging for CISOs to ensure a secured end-to-end environment. Nevertheless, simple when said, but utter complex though when practically dealt with, I had profound Cyber Security partner ecosystem(s) that ensured the desired outcome in my past professional experiences.
One of the various streams that are directly driven by me is “Cyber Security” awareness and I am going to explain a bit about this for better understanding and easy acceptability across daily engagements within your business organizations/functions. Before that, let’s understand few trends within Cyber Security and the prevailing wrath across the industry in the past 1-2 years. The 2017 Cyber Threat Defense Report yielded dozens of insights into the challenges faced by organizations today. Key findings include:
• Held hostage by ransomware: 61% of respondents indicated that their organization was victimized by ransomware last year. Of those affected, 33% paid the ransom and recovered their data, 54% refused to pay but successfully recovered their data anyway, and 13% refused to pay and subsequently lost their data.
• Microsoft leaving the door open? One in five respondents is not satisfied with the protections Microsoft provides to secure Office 365 environments, leaving the door open for third-party security solutions.
• Rising attacks are the new norm: The percentage of organizations affected by successful cyber attacks has risen for the third-consecutive year – from 62% in 2014, to 70% in 2015, to 76% in 2016, and now to 79% in 2017. Today, three in five believe a successful cyber attack in the coming year is more likely than not.
• Now hiring: An astounding 9 out of 10 respondents indicated their organization is suffering from the global shortage of skilled IT security personnel. 51% of respondents are leveraging external vendors and contractors to fill the void.
• Cyber insurance reaches critical mass: Three-quarters of respondents rate their organization’s level of cyber insurance investment as adequate. Less than 9% of respondents expressed concern over insufficient coverage.
• Network deception technology excites: Of 16 network security technologies depicted in the survey, honeypots / network deception technology (41%) is the one most sought after in the coming year, followed by next-generation firewalls (39%) and user and entity behavior analytics (38%).
• Database and web application firewalls reign supreme: When asked which of 11 application and data-centric security technologies are currently deployed by their organizations, respondents ranked database firewalls and web application firewalls (WAFs) highest, each with a 65% adoption rate.
• Under investing in the human firewall: When respondents were asked what’s inhibiting them from securing their employers’ networks, “low security awareness among employees” was the top response for the fourth-consecutive year, followed by “lack of skilled personnel” and “too much data to analyze.”
Worth to note that not all but most of them point to the lack of sensible and cautious participation of all stakeholders/employees’ active involvement in securing the digital ecosystem. Eventually the scenario is no different across all industry segments, and hence found to be similar in supply chain related domains/industry segments as well.
Another report says – 84% NET of Indian businesses are expected to make security a higher priority over the next two years, major drivers being:
• Change in IT operations (e.g. cloud, mobility)
• Internal security breach or incident
• Change in business operations or client base
• Reports of security breaches at other firms
• Knowledge gained from training/certification
At the strategic level, an organization should have a clearly defined Cyber Security program that deals with the domains of People, Processes and technology. This means there has to be necessary and sufficient Cyber Security technology controls/programs to safeguard the overall organization IT Landscape, necessary processes to manage the functions of IT and its systems and finally people with the right skill sets to drive the overall Cyber Security program. Overall, Cyber Security is also everyone’s responsibility – this emphasizes the vital fact that everyone’s contribution towards securing the organization’s data/information through due adoption/ adherences of Cyber Security best practices. IT/ Cyber Security department alone cannot ensure entire organization’s Cyber Security posture without due involvement of every employee as active participants and in order to achieve this, every participant should be well aware of cyber Security concepts, roles & responsibilities towards adhering to Cyber Security policies/procedures to safeguard data/information and contribute to the overall organization’s Cyber Security Program. This can be made possible by the Cyber Security team or the department through a well thought Cyber Security Awareness program organization wide and run that yearly through appropriate checks and review methods.
“The best way to protect data security is to get rid of all humans. Plan B is to train them”
Majorly Cyber Security is driven through a structured program – a year-long progressive campaign each year. Fundamental thumb rule – “Cyber Security is everyone’s responsibility” and ensure the enabling all employees understand all around Cyber Security – Organization’s policy, Compliances, Security management thus making sure proper integration of “People, Process & Technology” embedded with Cyber Security for the organization.
Let’s look at various areas of Cyber Security campaign, their means and way for inculcating Cyber Security principles, policies, compliances & regulations and few measurement tools or gauging the effectiveness...
Cyber Security Awareness Course
An interactive video animated streaming course content for all employees available. Typically, this course outlines the below:
• Cyber Security fundamentals – CIO Triage: Confidentiality, Integrity & Availability
• Cyber Security policy and its guidelines
• Emphasis on major policy contents
• Key areas of focus on end user (employee) Cyber Security aspects
• Animated demonstration explaining end user security pointers such as maintaining confidentiality of business data, access control, avoidance of social media for business data etc.
• A short and crisp test to refresh the learning of this course content
• Finally, certificate to mark successful accomplishment of this course
All end users/employees must be made to undergo this course and submit the certification successfully. This course should be mandatory across the organization. All leaders / department heads are also required to ensure this course is mandated to all their new joinees through their induction program.
Awareness through email fliers & digital posters
Email fliers and posters with well defined themes targeting cyber security are released to all employees. Few of the widely involved themes are:
• Data Leakage Preventions/Protections
• Clear Desk/Screen
• USB Disk/Pen Drives security
• Ransomwares, Malwares
• Access Control
• Security while using Social Media
• Major Cyber attacks
• Security for Internet of Things
• Cyber Security across travelling/journeys, etc.
• Workplace security
Awareness through physical posters
Almost all of the digital posters can be utilized for poster based campaigns across major locations such as admin boards within major buildings, canteen where maximum focus of the employees can be obtained, plant buildings, etc.
Extensive classroom based training needs to be conducted at location(s) across the organization. While CISO team cannot reach out to all locations, “Train-the-trainer” trainings for all business IT team InfoSec SPOCs will ensure extended coverage.
External speakers (outside-in)
Several renowned & well-known speakers from the industry can deliver speaking sessions across various topics through diffierent forums. Every year the themes should change based on industry threat vector’s changes. This helps us conduct the Cyber Security Awareness Program more effectively. Senior management acros most of the organizations are very recently found to be much focused over Cyber Security considering its strong hold across various IT driven business ventures – be it internal as well as with external partners. With growing IT landscape, and the way we are leaping with full scale towards digitalization, it makes it imperative for all of us to embrace Cyber Security – Compliances and Best practices, thereby making the organizations collaboratively secure and safe.
Overall, the entire awareness campaign should be assessed through a thorough Cyber Security Maturity Measurement program that will gauge the effectiveness and effeciency with which the awareness program was built for.
Finally, Cyber Security is Everyone’s Responsibility.