I once had a conversation with a US Navy Aviator. He fought during the first Gulf war, serving on an Aircraft Carrier. I asked him what it was like being in a war environment, and his response was rather surprising. He casually spoke of it as just adding another sortie to his day.
He went on to say that every day the US Navy is constantly training for combat. Therefore, he flies, on average, two sorties a day. When war finally came, to him it was just adding another sortie to his workload. In other words, he was well prepared for combat.
Flying a jet fighter is not a solo effort. There are crews of people behind the scenes to make a single flight possible. From crews working the flight deck, to those working on radar and scanning the skies for threats to the ship, to crews working below deck preparing munitions, fuel, and maintenance, everyone is well trained and well versed in their areas of expertise.
The same should be true when it comes to Cyber Security. Every person in your organization is on the front line of cyber security. Your IT staff may be the ones working full time on security (i.e., flying the jet fighter), but every person in the organization participates in keeping the company secure.
It’s no surprise that when it comes to combating Error the CIS Critical Security Control 14: Security Awareness and Skills Training and CIS Critical Security Control 16: Application Software Security are recommended. Go through the CIS template, and consider how it would fit in your business or nonprofit organization.
The CIS template is not going to tell you exactly what you must do in every situation. The actual details will be organization specific; tailored to address your specific needs.
To combat “Error” as noted in the Verizon Data Breach report, the three Controls of the CIS Template 14 and 16 are the following:
|
CIS Control |
Security Function |
CIS Safeguard |
CIS Safeguard Description |
|
14.4 |
Protect |
Train Workforce on Data Handling Best Practices |
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely. |
|
14.5 |
Protect |
Train Workforce Members on Causes of Unintentional Data Exposure |
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences. |
|
16.9 |
Protect |
Train Developers in Application Security Concepts and Secure Coding |
Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. |
The CIS template recommends Training be ongoing and not just done once. Threats are constantly changing. Effective training should not be left at time of hire, but rather ongoing throughout the year.
At Rue Insurance we prefer “learning” to “training”. Training is something one does, or conducts, while learning connotes life-changing education. With education you enlighten your employees, empowering them. The goal of education is to move beyond knowledge transfer to behavior transformation. One of the ways to bring about behavior change in your organization’s cyber security awareness program is via continuous exposure and increased awareness to cyber threats to your organization.
If there is an upside to the ever-changing threats in cyber security, you will always have current stories to tell. When employees can see the connection between the threats facing your business and their jobs, it becomes personal. When that happens, your Cyber Awareness Education program starts to have measurable impact.
CIS Control 14.4 talks about Data Handling Best Practices. With several examples, they demonstrate how digital data handling is not the only concern. Care should be taken with traditional paper documents, such as having a clean desk with no documents showing personal data, locking computer screens when away from your desk, and cleaning whiteboards which show confidential data.
CIS Control 14.5 is a more nuanced control, because you’re dealing with educating employees on things they were not expecting. The first thing to think about with this control is your company culture. Culture is very important. As much as you educate employees on what not do to or what to look out for, mistakes can happen. The next question is what happens when an employee makes a mistake.
For example, an employee loses their laptop computer that has confidential client data on it. If an employee knows they are going to be reprimanded for making this mistake, how likely are they to report the lost laptop? What’s to stop them from making an excuse, such as that the laptop was destroyed? Lost laptops or misdelivered information happen more often than most people realize.
What is your company’s response plan going to be when a mistake does happen?
This control is a security issue, but it’s also not something that will fall 100% on your security staff. Your Human Resources department will also need to be engaged in the handling of mistakes in this area. Yes, develop your educational plan and bring awareness, but also make sure your company’s culture is such that employees will be willing to acknowledge a mistake, determine the root cause, and take steps to prevent future mistakes.
If you are looking for more information on developing an Information Technology Security Awareness and Training Program, here are some resources:
NIST Building an Information Technology Security Awareness and Training Program – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-50.pdf
National Cybersecurity Alliance – https://staysafeonline.org/
SANS Security Awareness- https://www.sans.org/security-awareness-training/resources/
UK National Cyber Security Centre: https://www.ncsc.gov.uk/collection/10-steps/engagement-and-training
CIS Control 16:9 deals more in the development of software, versus end users of software. Developing secure software products starts in the early planning state of software development. If your organization is interested in a deeper dive into a security mindset for software development, consider such resources as Microsoft Security Development Lifecycle or NIST’s Secure Software Development Framework (SSDF)..
It is much easier to incorporate security minded programming protocols during the software development stage, than after software has been developed. At that point, backward changes would need to be made to the program.
In Part III of this article series, I’m going to finish explaining the three other sources of human error and talk about potential controls.
