If not directly, everyone who is looking at the problem can see that the digital criminal is stealing everything.
Intellectual property, our access to money, access to technology, even right down to locking us out of our own information unless we pay the ransom.
This is the face of crime in today’s world.
It is faceless, persistent and very rewarding at the criminal level.
We are constantly told by multi nationals, government departments and politicians that we need to invest heavily in technology.
Throw new and more expensive technology at the problem and finally / eventually the problem will go away.
How is that working for you?
From my understanding – not very well!
We constantly see headlines on the internet or off line.
This organisation has been compromised and lost millions of credit card details, intellectual property and / or personal identification information (PII). Every compromised system can be tracked down to simple and stupid mistakes.
In the fight against cybercrime, there are 3 inexpensive things that every organisation can do to fight the overriding situation.
All of them have been discussed, all of them have been tried and all of them, according to the high end masters, have failed.
That’s where we differ. In most cases they haven’t been done right.
Education and Cybersecurity
- We have to focus on the user. The staff member in reception, the travelling sales guy on the road or the boomer in the board room. They all need to have the understanding that they are targets. The uneducated, illinformed and ignorant are the primary targets of the cyber criminal. We have to lift the bar!
- To make the digital world safer for the users, everyone has to understand that it is a dangerous place. Maybe the headline to this section should be “ongoing education”.
- The most important part of education is regularly refreshing the information about cybercrime. Most organisations have a single cybersecurity induction process. A single course on what you are allowed or not allowed to do with the resources of the company. Do it once when you join and if you are there for 10 years you never have to revisit it. This is not enough.
- Education should be ongoing. It should include posters around the office, a regular quiz on what is good and bad business security, regular courses, from the original onboarding / introduction through to a regular quarterly sit down for 30 minutes. This also needs to be augmented with webinars, seminars and on line courses.
- Your people should be sprouting about security to their family and friends. Telling the world what they know about cyber criminals and their targets and how your organisation is protecting that information.
- Digital security has to be front of mind if you want to protect your organisation. It has to be second nature!
Communication and Cybersecurity
- Both internal and external communication is absolutely critical to keeping your organisation secure.
- Internal communication comes from the top down but input should be encouraged from every level. Everyone’s should be looking at and talking about business security. It should be discussed at the board level as well as morning tea.
- External communication should also be encouraged. Getting involved in message boards and chat sites is a start. Incognito, like the bad guys, is OK.
- Getting involved with similar organisations and regularly discussing problems and solutions that have worked or not. All of this information can be applied to your organisation.
- The digital criminal are constantly communicating – what worked, what didn’t work, how did it get changed to make it work are all important information for the digital criminal. We need to have that level of communication in all organisations.
Penetration testing and Cybersecurity
- This is another critical component of digital security. When done correctly, it highlights lapses in concentration, incorrect configurations, unprotected systems and more importantly any other way for the bad guy to infiltrate your environment.
- Penetration testing is also a way to verify your investment. To make sure that it is going to do the things that it was purchased to do and show that there is no set and forget security in today’s world.
- Penetration testing is not a man hunt, looking for a scape goat or looking for someone to blame. In the digital world no single person can know it all, a pen test is finding those areas where you have made mistakes and fixing them before the bad guys discover the same mistake and exploit it to access your business.
- To do a penetration test, the team should have no restrictions, because the bad guys will have no restrictions. The bad guys will not worry about bringing down your web site, compromising your data server or hacking your email system – that is the way a penetration test should be run. Prudence is the key, but to make your organisation as secure as possible it has to be done. It is better to be compromised by someone paid to do it rather that someone who is out to make a quid on your mistake. It is better to be compromised and have something fail than have it compromised by a bad guy and being under the pump, with financial and time restrictions, to fix it.
- Every facet of the criminal should be used to make sure the organisation is secure. From targeting the technology, through to targeting the users and social engineering. Any and all tactics should be employed to prove your organsiation is secure.
We are constantly told by the high tech masters that by throwing more technology at the problem of cybercrime, we will fix it. We have seen time after time that this is not the case.
Cybersecurity is a multi faceted process, may i even say holistic.
Every component is needed to make the business environment secure. Education, communication and pen testing are up there with second generation firewalls, patching and application white listing.
The part that is most interesting is that all three are the human side of digital security. They are constantly put down as a protective strategy by the technology gods we pray to.
A $15,000 investment in education, communication and penetration testing can have outstanding ROI for any organistion.
Want more information about how you can protect your organisation then please contact me on firstname.lastname@example.org