With the many of the major hacks still taking place through a single point of vulnerability, two security industry pros said its time for organizations to make sure their workers understand the importance of cyber security and actively take part in defending their company.
“What if instead of using APT (Advanced Persistent Threat) it were called the same stupid attack that happened last time,” said Junaid Islam, president and CTO of Vidder, explaining that IT departments generally see the same problem happening over and over and that cycle needs to be broken.
Islam, who made this comment during the ALM cyberSecure event held in N.Y. City on Dec. 15, said there are methods to get employees to be more aware, but the effort has to be put forth.
“You have to develop a culture of security in the company. Everyone from the janitor to the CEO has to think about security all the time,” said Bob Flores, a partner at Cognito and a former CTO of the Central Intelligence Agency, at the same event. In addition, security knowledge and concern should be made part of a worker's annual review process to show how important the topic is to the company, he said.
“It's hard to make people cyber aware,” Islam said, but he went on to describe a simple and free method he has used to make the threat posed by hackers not only very clear to workers, but to develop a level of “buy in.”
Islam suggested setting up an old PC in a common area and use it to display a live feed of the inbound and outbound traffic that is going through the company's servers. When they see data requests coming from countries like the Ukraine and China it helps change the workers view of the data threat, Islam said.
Even though having an employee fall for a phishing scam will still be hard to stop, organizations have to do more at a higher level to protect themselves. Flores and Islam recommended developing a defense based on a threat model by figuring out a company's weakness and the building the proper defense. Instead of using the SANS 20 Critical Security Controls list.
“You need to figure out needs first,” Islam said.
Flores followed up adding that a company can't just buy a security software tool or hire a security consultant and believe they are safe.