October is European Cyber Security Month, and National Cyber Security Awareness month in the USA. It’s an ideal time to raise awareness about cybersecurity across your organisation, from the C-suite to the cleaning staff. Last month’s news about the massive breach at Yahoo! was a timely reminder that businesses of any size can be a victim.
In the Yahoo! case, the reported figure of 500 million user accounts including names, passwords, email addresses, phone numbers and security questions, making it the biggest notified breach yet. I’m deliberately qualifying that statement because it’s a little early to call this the biggest data breach in history, as some reports immediately already have. It’s certainly in the top three that we know about, although as I’ll come back to later, the more we go looking for security incidents, the more we’re likely to find them.
The idea of cyber security awareness month is to get a quick win for your organisation. In my experience, it’s a great launch pad for instilling good practices, such as changing business and personal passwords. We have seen a number of VigiTrust clients using this month as the springboard for a campaign to get users’ attention about security and prompt them to reset their passwords.
From a staff education perspective, it’s a good opportunity to organise ‘lunch and learn’ sessions, webinars or instructor-led training. Even measures like distributing new security awareness material like posters can be inexpensive but very effective.
Gamification can really embed a stronger security culture, by pitting teams of staff against each other to see who can devise the best way to contain or deal with a security incident, using your organisation’s incident response plan as a model. Using scores and prizes as a reward incentivises good security behaviour.
Ironically, you’ll notice a sharp increase in the number of incidents being reported after these types of awareness events, because people will now know what they’re looking for. For that reason, it’s not a valuable metric to set a target of fewer incidents after security awareness training. As a veteran of the security industry, I’m actually not concerned about seeing the number of incidents reduced: I’m more interested in clients knowing that they have incidents and that they’re monitoring them in the right way.
Larger companies have a lot of internal security expertise but we believe it can be valuable to work with an external provider for guidance when developing new security initiatives. Sometimes it takes an outsider’s perspective to see that an organisation might have an issue with social engineering or phishing, whereas an internally focused exercise could miss those signs.
Lately, we’ve seen a lot of focus around the role of boards in overseeing cybersecurity. For example, last month the Central Bank of Ireland issued guidance for regulated companies in the financial sector to improve their strategies for dealing with cybersecurity threats and IT risk management. Keynote addresses delivered to the C-suite can be a powerful way of starting a cybersecurity conversation. Some of the VigiTrust team and I have recently delivered executive talks around IoT security, blockchain, managing personal critical infrastructure, the culture of security and change management.
E-learning is a good way of getting started on cybersecurity culture. We’ve just launched the VigiStore, an e-commerce platform for security awareness material that includes e-learning packages.
Lastly, for security officers who want to look at new ideas for spreading the cybersecurity gospel, another way to skill up about the latest thinking is to get involved with the Vigitrust Advisory Board. We have events scheduled in New York on October 12, Paris on 22 November, New York once again in early December, and we’ll be at RSA Conference 2017 in San Francisco next February 13-17. Our Global Advisory Board annual meeting is set for May 17-19 in Dublin. Contact myself or Laura Shannon to find out more.