Companies and organizations are still struggling to deal with ransomware, a cyberattack in which user data is encrypted and held hostage, supposedly until a ransom is paid. This trend looks set to continue and perhaps even intensify. I often get asked by executive management about what they should be doing and what questions they need to be asking. Those questions can be a useful guide for those who aren’t sure if they’re doing enough beyond asking the IT department to take care of it.
Instead of the usual spiel about what equipment to purchase or what software to install, I find that it is critical that people, especially those among executive leadership, have the right mindset when communicating with those who are on the front lines of preventing cyber attacks. With that in mind, here’s my list of nine top do’s and don’ts for being cyber-resilient in terms of mindset, behavior and daily precautions since, in the end, cybersecurity is not just a technical issue but people issue as well.
1. Don’t blame the victim in a cyberattack
Making a user who has been compromised feel like the “bad guy” will only exacerbate an already bad situation. It can lead to an environment in which people try to fix issues themselves or, worse, simply hide or ignore them and, most importantly, fail to communicate the incident quickly. The real bad guy is still on the loose even when the situation is remedied.
2. Don’t cultivate a sense of paranoia about attacks and disconnect from the internet
Not only will this deprive an organization of the benefits of today’s networked services, it will point bad guys to where your most important data is in an “air gapped” room (i.e., one with no online links). The difficulty posed by these computers being offline is that they’re rarely monitored and updated — doing so may actually benefit attackers from the outside. Being disconnected leads to people creating workarounds, such as only copying the work data they need from these offline computers and taking it back to their regular computers, thus allowing hackers to create a feeder system to acquire information from these “protected” networks. Disconnecting from the internet can be extremely troublesome and inefficient these days, so this is not a practical solution.
3. Don’t shackle your team based on cyber fears
Banning WiFi, or use of PC’s outside the corporate network is counterproductive and in 2017, unrealistic. Preventing staff from working at home and sacrificing efficiency, productivity and worker well-being in the name of security results in net damage to the organization.
4. Don’t make excuses for not implementing the latest safeguards.
You may have a sense of security and “what needs to be done,” but it’s more likely that the latest technologies, including cloud networks, are more secure than your multiple known and unknown mainframe or servers, which aren’t patched with the latest updates. The latest ICT can also help you be competitive and efficient; more progressive vendors are building state-of-the-art security into their products by design. On a related note, many companies are now implementing application whitelists, so that if a user downloads something that hasn’t been approved, the IT department will jump on it. However, even authorized software can download unauthorized components when updating, leading to trouble. I’ve met people who have become reluctant to update their software because they don’t want to get yelled at. But remember: it’s far more important to update than to run the risk of getting hit by malware because of an unpatched system.
5. Do encourage communication within your organization when something happens or seems suspicious
Even if you lose your company phone or PC, it’s better to report it quickly to minimize possible damage. To lose something or to generally make mistakes is part of being human. It is more important to create a trusting culture where we quickly report things that are amiss (and not just cyber problems) so that proper remedial action can be taken. Hiding things only leads to bigger problems both for individuals and the organization.
6. Do testing and auditing of your security system so that you make sure people’s awareness is high
Be wary of excessive penetration, or PEN testing, however, which can sometimes make users too afraid to open their files.
7. Do make sure that usability is central to your security posture
It’s simply not worth it if people keep working around the system just to do their job, and yet this is happening every day in companies and organizations of all sizes. Ignoring usability increases security threat. Changing your 10-character password every 10 days will only foster a culture of writing things down on Post-It notes, which won’t benefit anyone.
8. Do make sure your security measures are as invisible, automated and integrated as possible
That will encourage both usability and resilience.
9. Do remember that you have many opportunities to stop bad guys and prevent successful cyber attacks
It’s not game over if they penetrate one part of your system; they’ll have to overcome many obstacles to get the data or whatever else they’re after. Thus, it’s important to be proactively defensive and to understand that in a well-designed system there are many opportunities to stop bad guys from accomplishing their end goal. Resilience and communication are key.
Leaders need to get smart about cybersecurity and realize that it’s much more than an issue for the IT department. As a mission-critical piece of infrastructure, cyber cuts across all divisions of an organization and affects everyone. An effective cybersecurity strategy, organized to prevent versus only remediate cyber attacks, can improve competitiveness and even lead to a better work-life balance among employees. The time to start is now.