The Security Culture Playbook. Perry Carpenter
Читать онлайн книгу.
to the fire. All of a sudden, organizations and employees were having to adapt to a new normal: working from home. Organizations scrambled to find ways to allow employees to work remotely and safely.
The added confusion and chaos of a global pandemic, employees facing new routines and dealing with new systems, and people feeling more stressed and less connected than ever have all come together to create an enticing playground for social engineers. And they are taking advantage of it.
The added confusion and chaos of a global pandemic, employees facing new routines and dealing with new systems, and people feeling more stressed and less connected than ever have all come together to create an enticing playground for social engineers.
How Bad Is the Problem of Ransomware?
Cybersecurity Ventures recently published its forecast for the growth of ransomware over the next 10 years. It's not good. By 2031, “[r]ansomware is expected to attack a business, consumer, or device every 2 seconds […] up from every 11 seconds in 2021” (Braue, 2021).
Here are a just a few points to help put the problem into perspective (as of 2021):
Over one-third of organizations globally have been hit by ransomware (International Data Corporation, 2021).
Of those hit, roughly 87 percent ended up paying the ransom (International Data Corporation, 2021).
We are now at a point where ransomware isn't just about making your data inaccessible; it's about exfiltrating the data, using it for extortion against multiple parties, and generally doing everything possible to gain leverage and destabilize your organization. You have no choice but to assume that a ransomware incident is a data breach (Sjouwerman, 2021).
Social engineering via phishing, vishing (voice phishing), smishing (phishing via text message), and social media are all on the rise (Phishlabs, 2021; Martens, 2021).
The global average cost of a data breach is $4.24 million (IBM, 2021).
The global average cost of a ransomware attack is $4.62 million (IBM, 2021).
The average per-record cost of a data breach is $161. That goes up to $180 if the record contains customer personally identifiable information (PII) (IBM, 2021).
All of this rises to the level of materiality. And material risk is one of the most important things that an executive team and board of directors is concerned with. This is why it is so important to make your human layer of defense a central part of your cybersecurity narrative.
Your People and Security Culture Are at the Center of Everything
Your people are the most important element of your cybersecurity program; ignore them at your peril. Technology will only get you so far. So it's time to elevate human-layer defense to the forefront of the conversation. And it's time to deliberately and methodically focus on security culture.
Human knowledge, beliefs, values, behaviors, expectations, and social pressures are involved in everything that matters within your organization:
Humans decide what technologies to purchase.
Humans decide what risks to focus on and how to gain visibility into those risks.
Humans determine the need for new processes.
Humans review and tweak the settings of business technologies.
Humans are in charge of running, patching, and maintaining your security technologies.
Humans design and code the applications you develop in-house.
Humans review your third-party risk.
Humans decide how they will respond to something that looks suspicious.
Humans decide (both consciously and unconsciously) how they will react to the systems and information they interact with each day.
Everyone you hire, contract, interact with, or sell to is human.
Everything you design, sell, or develop business from is ultimately in service of humans.
Everything and everyone in your organization is impacted by the decisions, behaviors, and expectations of other humans.
Your people and your security culture are the heart of your cybersecurity program. In this book, we'll share a number of interesting (and maybe even shocking) insights related to how your security culture will either be a net benefit or a huge liability for your organization. Here's an example.
While evaluating our security culture dataset, Kai's team recently made an interesting discovery. They took a sample of just over 1,100 organizations and nearly 100,000 employees and looked at employee susceptibility to phishing (measured via a simulated phishing test) as it relates to an organization's overall security culture (as measured by our Security Culture Survey) (Eriksen, 2021). There was one obvious correlation, which you are probably already anticipating: Organizations with a “poor” security culture had more employees who opened and interacted with phishing emails in various ways than employees in organizations with a “good” security culture. Yeah, we would expect that. But here's what we didn't expect: Employees of organizations rated as having a “poor” security culture were 52 times more likely to enter credentials as part of a phishing scam than organizations with a “good” security culture.
Let's put that into raw numbers. In organizations with a “good” security culture, one employee out of 1,000 is likely to be tricked into giving away their credentials or entering other sensitive data as part of a phishing scam. But, in organizations with a “poor” security culture, that number jumps to 1 out of 20.
Our data shows that, in organizations with a “poor” security culture, 1 employee out of 20 is likely to be tricked into giving away credentials or entering other sensitive data as part of a phishing scam. That's in stark contrast to organizations with a “good” security culture, where that number is reduced to 1 out of 1,000.
That's just one stat and one way of measuring the benefit of having a good security culture, but it makes the point: Focusing on your security culture is critical to your overall cybersecurity program and critical to the overall risk posture of your organization.
The Implication
Executive teams and boards of directors need to view security culture as a critical priority. While cybersecurity is a top-of-mind issue for many companies, it can be difficult to ensure that the right information is being shared at the top levels of the organization. To an extent, that's understandable; cybersecurity can seem like an abstract concept. It requires technical knowledge and expertise that can be difficult to translate into business-speak. And, when you don't know how to ask about or measure something, it's easy to ignore it altogether.
Traditionally, the board of directors required reporting based on an increasing risk to the business. For example, back in the early 2000s, the threat of computer viruses wasn't on the radar at the board level; it rarely rose higher than senior IT leadership. However, as the impact of data breaches, destruction of complete networks, and direct monetary theft became a reality, corporate boards took notice. They ramped up the reporting requirements, wanting increased visibility into their defenses. They even created new roles, such as CISO, that often had direct reporting to the CEO or even the board.
Ransomware, social engineering, and human error have proven to be an existential threat to businesses of all sizes.
Ransomware, social engineering, and human error have proven to be an existential threat to businesses of all sizes.
Intellectual property theft, multi-step extortion, customer and employee data theft, multimillion dollar ransom payoffs, brand and reputation damage