The true culprits of hacking
 The true culprits of hacking |
The true culprits of hacking
The vast majority of IT departments today face a big problem: the rest of the company's employees consider them 100% responsible for cybersecurity. It is quite reasonable to assign them responsibilities for some aspects of cybersecurity, but they, of course, cannot bear the full burden of responsibility. In fact, IT staff find themselves in the same position as the police. While the police can catch criminals and prevent some crimes, they certainly cannot be responsible for every successfully committed crime. And it's not their fault that so many people leave their doors (or mobile devices) unlocked and become unwitting targets. Nevertheless, organizations very often dismiss someone from IT, almost not even the CIO, when hacks occur.
Ensuring security is not necessarily a difficult task to solve. If the IT department had full control over the organization, they could easily guarantee the complete absence of any infiltration: dig a moat around the company, fill it with hundreds of alligators and prohibit everyone and everything from entering and exiting. It's simple, although it smacks of the Middle Ages.
Of course, business cannot function in such "isolation conditions". Any enterprise cannot succeed today without numerous entry and exit points for people, information and communications. And with all this movement, the IT department is no longer able to control much. One solution is to come up with a formula to help measure the degree of responsibility of the IT department for cybersecurity.
Insurance companies have created good models for this: when considering an accident, for example, they accurately determine the percentage of fault of each accident participant who is responsible for the incident. The key factors may be: weather (5%), worn tires (12%), inexperience of the driver (17%) and a pig at the intersection (66%). If you actually apply a formula of this kind for any hacking of a company, then the conclusion is that the IT department is guilty of less than 20%.
List of other factors to consider when assessing guilt in cybersecurity violations:
— Managers ignore staff training in the basics of cybersecurity
— Marketing has launched new "customer portals", significantly increasing the company's attack area
— The data obtained from these portals are valuable for cybercriminals
— Senior employees are regularly subjected to spierfishing
— Mobile policies are regularly violated
— Employees download free apps from suspicious sources
— Employees connect personal mobile devices directly to the corporate network
The IT department is rarely able to stop any of these actions, although each of them jeopardizes the security of the company.
This state of affairs is unfair to IT. But more importantly, while the IT department acts as a scapegoat, no other division of the company is responsible for the complex consequences of the decisions made.
Here are some tips to fix the problem:
1) Announce the formula of responsibility and identify the units and individuals to some extent responsible for hacking. (Side benefit: it may actually push people to comply with policies)
2) Add a questionnaire at the end of each IT request in the form: how will your request affect the company's cybersecurity level?
At first, people may not understand the question and will leave this field empty. But when they find out that the field is mandatory, they will choose "will not affect". Then the IT department can already step in and explain that the security risk usually increases when the network expands, or additional valuable customer data is collected and stored.
Over time, employees can be retrained so that they realize the real status of the company's cybersecurity. The "security status" is not as strict as it seems. Yes, it is determined by hardware, software, as well as hopes and aspirations (they are also "approved policies") IT department, but also formed under the influence of constant security choices by each employee on a daily basis.
Cynthia James, Global Director of Business Development, CISSP. Her career in IT spans 25 years, eight of which are devoted to the fight against cybercrime. James often writes on the topic of cybersecurity and is the author of the book Stop Cybercrime from Ruining Your Life! Sixty Secrets to Keep You Safe.