AUGUST 27, 2015
There is a lot of attention being paid recently to driving while texting or browsing the internet. This kind of public awareness campaign is well worthwhile; distracted driving can kill. Indeed, one of the benefits of a safe driving course is becoming more aware of your driving habits and not continuing in the comforting misconception of how it is you think you drive.
When an employee has to drive for work, we rely upon her or his individual driver’s license and personal skills to safely navigate the roadways. Is that the same approach you take for an employee’s use of the corporate network? If so, that is a very dangerous plan. More accurately, it is proof of the absence of a plan. What can you know about an employee’s personal computer habits? After all, there is no cyber-DMV in which you can look up a potential employee’s history of internet-age accidents. Just like a driver may be the weakest link in automobile safety, so can a user be the weakest link in cybersecurity. Employing someone with inadequate cybersecurity awareness skills creates a level of risk which can prove fatal to your system.
The simple truth is every enterprise should understand itself to be an internet-based cargo company. Conventional cargo carriers check credentials and test skills before putting someone in the captain’s chair of an oil tanker or a plane, or even in the driver’s seat of a tractor trailer. Yet organizations of all types and sizes regularly place employees in front of a keyboard that empowers them to move the modern equivalent of precious cargo, in the form of emails, software and data, anywhere in the world with a few keystrokes. In addition, we expect a ship’s captain to know how to avoid shoals and evade modern-day pirates and a truck driver to know how to avoid potholes and drive on slippery roads. But do we ever have any idea of the extent to which any employee really knows how to navigate the treacherous waters of the internet? Can they detect a potentially dangerous email? Do they understand the risks of activating an attachment that may grant an intruder access to your system? Do they double check the address to which they are sending an email to be sure they are not inadvertently sending confidential material to the wrong person?
Turn the paradigm around. Do not assume your employees’ personal computer skills are adequate for your enterprise. Do not treat your network as cavalierly as if it were an ordinary car being used to get to a business meeting. Evaluate the users of your network as if they were ship captains, airplane pilots and long-haul truck drivers. Test their security awareness; improve their skills. Their security awareness skills are a critical component of your cybersecurity.
My next blog will concern ways to assess your employees’ security awareness.
Kenneth C. Citarella
is senior managing director for the Investigations and Cyber Forensics practice at Guidepost Solutions LLC. He has more than 30 years of experience investigating and prosecuting white collar crime and computer crime.