I have been in the InfoSec business since 1998 and have performed or been a part of hundreds of risk assessments, and over the years there seems to be several common themes that have never changed. There are two that bother me the most and they are, in my opinion, the easiest to create and implement. As the saying goes, they just require a little sweat equity. The two I am referring to are documentation and security awareness training. Various standards, regulations and frameworks require it, yet so many organizations large and small don’t do it or do it enough.
Recently, I was conducting an assessment and when I asked the network and security teams a series of questions the conversation went something like this:
- (Me) Can you provide the documented firewall rule and router ACL’s?
- (Them) Uh, we don’t have any. We just add and delete whatever the business needs, as needed.
- (Me) Is there an operational change management/change control policy or program that has been approved by management, communicated to appropriate personnel and an owner to maintain and review the policy?
- (Them) Um, like I said, we just make changes as we need them.
- (Me) What is the criteria for ranking vulnerabilities, which may include consideration of the CVSS base score, the classification by the vendor or the type of systems affected?
- (Them) We just run a vulnerability scan a few weeks before the auditors arrive. So, no, we don’t have a formal process for ranking. Anything that is a HIGH we try to fix as soon as we have time, but we need more staff because only Owen knows how to do this and he works remote part-time.
This is just madness!
I get similar reactions when I ask questions about an organizations security awareness program. To which I always say, “Security awareness training is the cheapest risk reducing measure out there.” And again, in many cases, it is a one-time event at new hire orientation and is never seen again.
According to the latest Verizon Data Breach Report from 2018, 53,308 security incidents have taken place in the past year, with 2,216 reported data breaches across 65 countries and 67 contributors. A whopping 76 percent were financially motivated.
What is most scary is the fact that over a quarter of these incidents were insider-based. Insider threats can be the hardest to track down because the actor blends in well with your organization, because they are trusted. Be sure to read more about insider threats in this article from our VP of Security Solutions, Mike McGlynn.
One of the easiest ways to make sure your company’s employees and contractors will not make costly errors is to implement an organization-wide security awareness training program that includes, but is not limited to JUST classroom style training sessions, security awareness website(s), tips of the week/month via e-mail, social media, videos, even posters or banners. These methods can help ensure employees have a thorough understanding of the company’s security policy (that is of course if they have a documented security policy). This training can be a fun event! it does not have to be a stuffy PowerPoint, but it does need to happen and companies do need to find the time for it.
I can promise you one thing, if you have a well-documented security program and are enforcing security awareness training for all employees on a regular basis, your auditors won’t be the only ones happy your breach risk level goes down. Remember, security is everyone’s responsibility.