Reinforcing the Weakest link of Your Cyber Resilience Program
Reprinted with permission from CIO Applications
by Keith Burkhardt, Vice President, Kraus-Anderson Insurance
The CEO was, understandably, upset. For the third time in several weeks, his company had fallen victim to ransom ware. “We have to do something to tighten up our cyber resilience!” he said.
As it turns out, the breach was traced back to a recalcitrant employee who, despite warnings from his IT department, persisted in using his laptop on an insecure Wi-Fi in a particular coffee shop. To further complicate matters, this was not just any employee; it was the CEO himself.
As the decidedly analog Pogo once said, we have met the enemy and he is us.
In my discipline of risk management, we work closely with CIOs, owners and other business leaders to identify and address the risks inherent in information systems operations. Over the past 3-4 years, we’ve seen considerable progress in the way companies– particularly more nimble companies– have ramped up their cyber resilience efforts in multifarious ways: implementing rigorous data hygiene, addressing storage vulnerabilities, tightening intellectual property and protections and developing systems response plans. As understanding of cyber resilience has evolved, more CIOs are now taking a well-deserved and needed seat in the C-suite, advising CFOs and CEOs to make more proactive decisions about IS investments in the interest of risk management.
Yet even as businesses have gotten better about cleaning up their information systems’ vulnerabilities, the biggest vulnerability of all is the one you can’t exactly toss out: i.e., the humans that the systems are designed to serve. Even the most dedicated CEOs can bring traits to the table (rushed, fatigued, not always keeping up with learning) that put them at risk of becoming a hacker’s unwitting best friend.
Nor are they the only ones to be concerned about. That millennial sipping coffee next to the CEO might be using a dedicated VPN, but may also be spilling secrets by talking too loud over his Bluetooth, or oversharing on social media. And we all know what Equifax was using for its password, right?
Play Where the Puck is Going
As advisors and consultants, our team tries to follow the advice of hockey great Wayne Gretzky and anticipate where the puck is going. In the case of cyber resilience, I think CIO’s would do well to take aim at the human risk factor.
Mind the Gaps
Spend some time looking at the gaps in your cyber resilience system protocols. Self-evaluation is one tactic. One of our KA colleagues, Mike Benz, Vice President of IT at Kraus-Anderson Construction Company, has developed a self-evaluation tool based on criteria from the National Institute of Standards and Technology (NIST) designed specifically to help contractors evaluate their ability to identify, protect, detect, respond and recover from cyber events.
Benz notes that, “The tool suggests specific improvements in areas where the company has the biggest gaps, compared with industry averages and best practices. Each recommendation balances cost with risk reduction potential.”
Probably one of the best investments you can make is identifying your users’ behavioral risks and addressing these with training.
Cyber security providers such as Darktrace leverage powerful AI algorithms that mimic the human immune system’s defenses to provide 24/7 monitoring of employee’s data use, flagging all problematic behavior to spot emerging threats that would otherwise go unnoticed.
As employees may have overlapping understandings of systems, cyber resilience is compromised with varying understanding. Online training can smooth out those sometimes wild swings in levels of understanding and help companies establish a level set point of cyber resilience competency among employees. Our agency maintains a client portal online training center that offers a series of 5 cyber risk courses that can be taken in an hour or less with documentation of completion. The trainings reveal gaps in understanding that can indicate to supervisors where further attention is needed.
Get Onboard with HR
Another opportunity for the CIO is to get embedded in the process of hiring new users. Just as companies maintain regular training relating to safety, discrimination, harassment and other vital standards, cyber resilience training can and should become baked into your employee onboarding, life cycle and exit protocols.
And, with a nod to your HR colleagues, consider bringing cyber closure to the exit interview. Offering last-chance amnesty for full disclosure of any competitive data that has been illicitly shared during the employee’s tenure could knock out 90 percent of post-termination issues before they emerge. Such prudence allows the company to avoid expansive forensic and legal costs.
However sophisticated the learning curve for your team, cyber security events still rely on user error, manipulation and exploitation of bad habits. Now that you’ve cleaned up your systems, the opportunity for today’s CIO is in making proactive choices to anticipate where the puck is going; and to take steps to establish, elevate and even draw out a baseline of cyber resilience competencies among your users.