Despite the critical nature of cybersecurity, it is often made the responsibility of a few specialized individuals—even in large organizations. And that needs to change.
Robert Herjavec, star of ABC’s Shark Tank and founder of cybersecurity firm Herjavec Group, recently spoke with TechRepublic about his belief that cybersecurity in the workplace is everyone’s business. While there’s a crucial need for defined cybersecurity professionals in an organization, the rest of the employees need to be involved as well.
Good security starts with understanding the weakest link in an organization’s system. According to Herjavec, this is always human beings. “As long as there’s human beings, there will be security breaches and security flaws,” Herjavec said.
Two of the biggest threats facing the enterprise today are malware campaigns and phishing scams. Traditionally, these are accomplished via malicious emails that require an employee to act by clicking on something or filling in a form, and some of them have tremendous success.
While these attacks are designed to deceive, it is the employee who must complete the action that allows them into their network. Herjavec recommended that employers conduct training and internal testing—such as phishing their own employees—to help them better recognize these threats and not act on them. Herjavec said that he performs these tests on his own employees as a way to consistently bring the issue before workers.
“You’re never going to get 100% perfection, but at least it creates a sense of awareness,” Herjavec said.
In addition to offering training to prevent attacks, businesses also need tools that can prohibit the consequences of attacks, such as the exfiltration of corporate data. Companies that deal with a lot of data should invest in a DLP solution, Herjavec said. But, that can create new problems, as employees can feel burdened by the extra time that certain solutions take to implement.
In order to properly overcome this barrier and get all employees on board with security, Herjavec said that IT leaders and security professionals must adjust their message to fit the audience at hand.
“The one thing I’ve learned from being on Shark Tank for nine years is, to make a great pitch, the first thing you have to do is tailor your pitch to the audience,” Herjavec said. “The common flaw I see in a lot of these cybersecurity training exercises is it’s one message to the entire company.”
This also includes changing the amount of technical or business language in your pitch.
“CEOs, CISOs, people like that want to hear the effect of cybersecurity on the business,” Herjavec said. “People on the front lines want to hear the effect of security on their daily life.”
In addition to properly communicating the impact of security, business and IT leaders must be realistic about their ultimate goal with their security strategy. Realistically, Herjavec said, organizations should be working to decrease their incident response time.
“It’s impossible to stop a targeted breach, but it’s possible to have a very quick response time to a breach,” Herjavec said.
If a breach is to be expected, one may wonder why it is necessary to invest in preventative technologies. The analogy Herjavec gave is that if someone targeted a home for a break in, they’re probably going to break in. That doesn’t mean the resident shouldn’t have doors, windows, and an alarm system. Knowing someone cracked a window gives them time to respond accordingly, he said.
The security landscape is different from many other technologies, in that its pace of change is so rapid, Herjavec said. As attackers and their metrics shift, it’s important to keep employees aware of these changes.
Additionally, front-line security professionals should be properly equipped to deal with emerging threats. Security technologies are very good to have, but they become dated very quickly, Herjavec said. Companies shouldn’t abandon them, but they need to form a strategy for adopting new niche technologies. For example, Herjavec said his team is seeing massive growth in threats at the endpoint, and it’s one thing that businesses need to investigate. As such, leaders must allocate a percentage of their security budget to these new technologies to remain properly secured against the threats they bring.
Originally posted on techrepublic.com