New concept of organization’s security
20.04.2022
Back to blog listThe time has come to change attitude to the concept of organization’s security and develop new methods for assessment of the level of organization’s protection. We need to rethink the basic postulate about the main asset in the information security chain. There is a widespread opinion, that software+technologies are the most important components of organization’s security system. Nevertheless, absolute majority of cyber-attacks and data-related incidents happen due to mistakes, made by people. That’s why we’d like to offer a new way of thinking. Let’s have a closer look at some clues, which may help to strengthen security positions of any company and organization:
1) Engagement.
It’s crucial to strengthen engagement of your clients and employees in all security-related processes. Many companies practice organization of security trainings on annual/term etc. basis. Undoubtedly, periodic training seminars provide employees or clients with some relevant information or help to develop useful skills, increase the level of their awareness and strengthen company’s security. But, in current circumstances, it’s not enough and the new complex approach should be implemented. As new system is focused on people themselves, regarding clients and customers, thus, prior task to solve is to increase engagement of both clients and customers in the process of protection of organization on everyday basis, regardless their position in the company. It’s important to develop the new strategy, which will give each employee and customer an opportunity to contribute to the general aim - increasing of the level of company’s security. It’s important to reaffirm the actual character of different cyber threats, those may affect the company. Basing on the information about probable threats, special “guide” for each role should be developed. And finally, last but not least - these “guides” should explain clearly why and in which way specific threat is dangerous. Finally, “guides” should help to understand each person’s role in the functioning of the whole security system and explain how each concrete person may help to deal with risks.
2) Security strategy with focus on human factor.
Earlier we’ve discussed, that engagement is very important, but, at the same time, raising the level of employees’ involvement is only the first step. So, what should be done next? In our opinion, next step is development of the educational strategy. We’ve stated earlier, that the basic factor in our new approach is employee and customer, in other words, human beings. That means, our strategy must also be based on the reflection of this main principle. We must keep in mind the fact, that people tend to behave differently in the one same situation. There are many different reasons and factors, which determine the way people behave, such as psychotype, personal life experience, character etc. It’s impossible and needless to predict each persons’ behavior, but, at the same time, it’s crucial to help people to develop some general type of behavior in situations, connected with information security. In this regard, the following may be suggested:
First of all elaborate detailed and realistic description of real or hypothetical threat. This step requires a lot of preparations to be done, however, it’s worth it. On the one hand, some principles are common for any company, but at the same time, solving of some tasks requires customized approach. Because of this, information security specialists, it-specialists, risk-managers, heads of departments all together should make a complex research, addressing such questions, as “what are the possible risks”, “which related to cybersecurity mistakes are typical for the staff of each department”, “what are the newest trends in this sphere” beforehand. Basing on the results of the research, they should start joint work in order to develop a strategy, that will help to minimize risks and mitigate the consequences of employees and customers’ mistakes.
For example, if we have a look at the situation in the healthcare sector, which accumulates enormous amounts of super-sensitive data, we can find out, that one of the most serious problems is responiblity delegation. This means, that this link usually starts with high-level employee, then the responsibility is readdresses to subordinate employee, and then this scheme repeats until there is no one left, who may be responsible, and the responsibility for an incident is often transferred to some external actors or factors. That’s why one of the most crucial and prior task is to appropriately distribute responsibility, considering risks, originating from each concrete person, regardless position in the company. The last point includes control over both privileged users and temporarily hired, external specialists. Because even a volunteer, who may even not be employed, and may assist with some very basic tasks may cause serious problems. For example, by copying some documents, like diagnosis etc.
Next, this strategy should be explained in details. At this stage precise description of each step, that should be taken, is required. The main aim is to help auditory to understand, what exactly they should do in each situation and what is the most probable outcome of their actions. Understanding of correlation between actions in each concrete situation and their positive or negative outcome for security system is the key aspect, which is considered to be one of the basic principle of the new security strategy. In case a danger will occur in real life, compliance with this principle will help to avoid risks and, in case threat was inevitable, eliminate or reduce negative consequences of attack.
No one should forget about phishing threats. Still, this cybersecurity threat is one of the most widely-spread. Try to provide your employees and customers with up-to-date information, reflecting new trends in the sphere of phishing attacks. It also may be a good idea if information security staff and IT-specialists from time to time simulate phishing attacks. After they collect information about employees’ actions, it’s important to organize seminars, and explain typical mistakes, those may be critical in real-life attack. Nevertheless, a few remarks should be done. It’s very important to understand, that people will get used to these simulations quite soon, and a bit later they will get tired of them, so always try to be creative, when simulating a new attack. What’s more, try to make attacks more complicated each time. This idea may be illustrated with a recent case. Due to permanent and effective implementation of the information security policy the percent of users, opening phishing emails in a large company dropped scarcely. But one day, during a new simulation attack, this percent raised dramatically and reached the level of approximately 70%. The reason for that was very simple – phishing email seemed to originate from company’s CEO. So try not to make people obey the list of strict regulations, but help people to understand importance of these regulations. For example, demanding people to change passwords each month may not be the most effective measure. People get tired of this boring thing, and may start doing it irresponsibly, for example, by changing the last symbol in the chain. Instead, You can organize a seminar and show, how easily and quickly it’s possible, with the help of specific soft, to hack such passwords.
Finally, concentrate on data flows and threats, related to the process of working in public places. Besides, due to the recent rapid increase in popularity of home-offices, provide your staff with necessary recommendation on how to deal with threats, typical for remote workers.Undoubtedly, educational aspect is always important, in particular, it may be useful not to neglect to remind about threats, connected with usage of open-access wifi. But it also isn’t enough. Rapid increase of share of employees, working remotely, or so-called home-offices has lead to blur of information security perimeter. It’s important not only to monitor and control working process, employees by themselves should understand the risks associated with the organization of remote work and the degree of their personal responsibility for it. This is also important to organize this process efficiently. This means security system should identify and prevent only real incidents and deal with real “pain points” and not focus on any minor occasion, that may be caused by human factor.
All in all, as it was stated in the beginning, we need to reassess our traditional approach to information security and understand, that people are the main factor of both information security incidents occurrence and their appearance preventing. That’s why it’s so important to regularly educate, engage and motivate.