J.S. Held Acquires Technorm, Québec’s Leading Forensic, Building Safety & Compliance Experts
Read MoreAs we progress through 2023, both new and old cyber challenges remain, but opportunities for improvement are present. For the upcoming year, assume the following:
Everyday users may find the realities daunting. They may even feel dismissive about cyber-related responsibilities, leading them to ask, “Well, what do you want me to do about it?”
Cyber experts simply want everyone to help “protect the house” by creating a more resilient organization and atmosphere. In this series, J.S. Held provides information for security professionals and everyday users alike, with suggestions to identify means of avoiding internal failures and/or a central collapse or breach of information systems. How? Through a federated approach that relies on personal responsibility and accountability.
This two-part paper focuses on what everyday users can do to help protect data, through the support of leadership and a well-established and well-maintained information security program. Specifically, this mini-series identifies how to resolve a key pain point—ensuring users know both why and how actions are being taken—and managing two evolving conditions, changes in the workplace and malicious actor tactics.
We begin by identifying who is responsible.
Information security and risk management leaders will generally focus on “the program” of the enterprise, but they, like all others, are also everyday users of technology and data assets. The knowledge gaps between the two groups can be wide even if the risks to both are similar. Moreover, priorities differ between these two groups, yet care and responsibility should not.
Therein is the core of the cybersecurity issue: understanding the nuance between stakeholder groups. Understand this issue, and many downstream challenges can be managed.
Going forward, one can expect that those tasked with data security responsibilities will focus their efforts on migration and integration into the cloud, digital transformation, increased monitoring and automation, software-as-a-service (SaaS) use, and company-wide initiatives such as “building cyber resilience” or increased testing and training. And let us not forget the chatter of Zero Trust replacing VPN.
But are those efforts, however well-intentioned, the most impactful to everyday users? At best, maybe. Everyday users have their own priorities, and, in some cases, those can counter information security best practices. Therefore, a priority for directors, officers, managers, and the CISO should be helping everyday users find that balance; it’s good business and good security.
All enterprise-driven security efforts must ask this question: “How do everyday users help reduce the organization’s risk footprint?”
The key is to recognize that the solution does not rest solely within the enterprise program, though the program most certainly is the foundation. Rather, the solution rests in everyday users internalizing and valuing good cyber hygiene as a gateway to protecting their own job, while concurrently improving the organization’s risk position.
Some users may practice “more secure” habits over others, but those tendencies are generally derived from experience and role. Everyday users may have tendencies that can contribute to or hinder good cyber hygiene habits. For example:
The interesting result is that despite behavioral differences, both situations could result in the same type of data loss. So, where is common ground? Personal interest.
“Eat your veggies,” on its own, has rarely been a compelling argument. People are inquisitive and want to understand the concept of “why.” Practicing good cyber hygiene is no different. Illustrative examples help. Here are just a few:
In summary, you can tell everyday users how good cyber hygiene may be achieved (e.g., password strength, shadow IT dissuasion, reasonable monitoring, training, etc.) but none of that explains why good cyber hygiene is valuable to the user and the organization.
Practicing good cyber hygiene is not just a present issue; it is an ongoing issue influencing security and risk postures. CISOs and other security leaders focusing the “carrot and stick” (behavior reprimand) and “silver bullet” (technology) approaches will be left behind. To positively alter behavior, everyday users need to be partners and understand why sacrificing some upfront convenience and efficiency could yield long term protections and rewards. Business, risk, and security leaders need to appreciate that issue too.
In the second installment of this two-part series, we will focus on the need to secure remote and hybrid workspaces and insights that help a user prevent attacks.
We would like to thank our colleagues George Platsis and Ron J. Yearwood, Jr., CISSP, CISM, CIPM, for insights and expertise that greatly assisted this research.
George Platsis is a Senior Director providing Digital Investigations & Discovery services in J.S. Held’s Global Investigations practice. Mr. Platsis is a business professional, author, educator, and public speaker, with an entrepreneurial history and upbringing of over 20 years. He has designed and delivered solutions, and led teams, to improve breach readiness, enterprise-wide and business-unit specific incident response programs, and estate hardening for a series of Fortune 100 clients in healthcare, media, financial services, manufacturing, defense, and commercial electronics industries, including support of clients in the small and medium business space. Additionally, he brings complex investigation and emergency management experience to businesses and individuals seeking to reduce their risk posture. George is a Certified Chief Information Security Officer.
George can be reached at [email protected] or +1 321 346 6441.
The modern security ecosystem is diverse and ever-changing, a place where cyber risk is top of mind for leaders at all levels, and threats to information / data security and privacy evolve at the speed...
This paper examines the inherent risks surrounding the protection of client electronic data on cloud-based platforms that have arisen with the proliferation of the at-home work setting. It also explains why it’s important for users...
This mini-series identifies how to resolve a key pain point - ensuring users know both why and how actions are being taken - and managing two evolving conditions, changes in the workplace and malicious actor...