Understand Business And Industry Security Requirements
A comprehensive information security program is a standard practice for every organization. In addition to securing company and employee data, organizations must also consider the privacy of their clients. For integrated design and manufacturing firm Pensar Development, clients need confidence that their intellectual property (IP) is only accessible to Pensar employees contributing to that specific project. The Seattle-based design firm is known for mechanical integration for medical devices and the enclosure design of gaming consoles among other client solutions.
Cyber Security Hub recently had the chance to speak with Pensar’s Director of Security Kayne McGladrey to learn about his approach to maintaining the confidentiality of both employee and client data.
In addition to his company security role, Kayne is an IEEE member, the professional engineers association often associated with developing technology standards. Members agree to a code of ethics to help people and society understand the social implications of emerging technologies. For his part, McGladrey is a spokesperson for cyber security and the broader technology to both industry and the general public. He is also proud of building a cyber security team at Pensar of entirely military veterans.
Each industry sector has specific security requirements and each organization has its own definition of sensitive data. Pensar works on behalf of its clients as a creative and integration specialist, which requires protecting sensitive client IP as well as restricting its access.
Restrict Data Access To A Need-To-Know Basis
McGladrey observes that the Western world has struggled with permissions aggregation without a constant state of access. “Employees never lose access to data… access only increases over time,” he said. For a security team focused on restricting data and access, Pensar had to approach the subject differently.
Kayne used an analogy to make his point. “If you own the building, there is an assumption that you also own access to all the rooms. Does a CEO need access to the server room?” From a cyber security perspective, this assumption creates a friction point when discussing the topic of access to data. “Threat actors know this, and target that ‘top of the pyramid’ thinking to find the people with the most access.”
See Related: 3 Ways To Prepare Now For Future Endpoint Defense
Avoid Trying To Change Human Behavior
Security awareness training can help with spreading the word to employees about the importance of good cyber hygiene. Some have adopted the approach that “cyber security is everybody’s responsibility.” McGladrey follows a more pragmatic mantra that “nobody’s coming to save us. In cyber, stop hoping that somebody else is going to do it.” The onus is on the organization to help employees make cyber security a habit and that isn’t necessarily accomplished through annual, mandated cyber awareness training. “Don’t assume the people in the training are paying attention,” quips Pensar’s McGladrey.
There are few technical controls to prevent a user from clicking on a link that can divulge information. But users are more than people who come to work and go home. “A more holistic approach is needed about serving the community – social engineering, etc. – to educate people about what’s going on in the world today,” says Kayne. “We understand that, as a species, once you got fire and you put your hand in the fire, it hurt. We’ve had confidence scams before, but phishing attacks are a relatively new phenomenon and have never been executed at this scale before, so as a species we don’t have muscle memory of how to treat this threat. It can happen to anyone and everyone at any time.”
The industry needs to share security hygiene openly at a time when an audience needs to hear it. And the training needs to be a continuous campaign and not an event.
Use Physical Security As A Proxy For Cyber Hygiene
Organizations appear to have achieved compliance with aspects of physical security (e.g., everyone scans their badge, one vehicle at a time through the security gate, etc.). Cyber security compliance has not been as straightforward. “People understand the security abstract before an event occurs and they understand when a threat happened,” says McGladrey. “If you leave your door unlocked at home for a year and nothing bad happens, you’ll think it is fine. The day you get burgled signals to change the behavior.” The unique organizational challenge is how to signal people to think before an attack and how to educate users on preventative measures and the consequences of not using them.
Create A Culture Of Healthy Suspicion
Instead of the obligatory employee training, McGladrey recommends continuous engagement with the end-user community. “Provide opportunities and instrumentation to demonstrate policy violations rather than lecture at people.” Examples include leaving a USB data stick in a break room or using phishing tools to falsify emails from known employees that seem suspicious. “This helps educate and creates healthy suspicion.” It is important to not shame employees that fall victim to these situations and instead use it as an educational opportunity to create positive cyber habits.
Some organizations that Kayne has encountered span 5 generations of workers, where some employees have no prior experience with digital environments. There is no awareness of multi-factor authentication (MFA), trusted password vaults or why one should not click on a link.
See Related: Changing The Course Of History Means Every Month Needs To Be Cyber Security Month
Kayne sees a greater challenge educating younger generations about creating similar habits. How young is too young? “If you’re targeting high school-age students, you are probably too late. Focus on teaching healthy skepticism at middle school along with identifying phishing and the importance of updating devices with security patches.” The adage that if something is too good to be true, it probably is may not be familiar to this age group because they have not been personally impacted. “Question the benefit or reward claims made by a mobile game before it’s downloaded and installed. Be suspicious.”
Who Is Responsible For Enterprise Cyber Security?
Cyber security is still viewed as an IT issue that often means infosec gets bolted on rather than bolted in to the company’s operations and culture. Join Cyber Security Hub this November as Kayne McGladrey and other security leaders discuss changing the perception of cyber security in the enterprise at the Cyber Security Digital Summit Fall online conference.