By Silka Gonzalez, an EO South Florida member and CEO of Enterprise Risk Management, Inc.
In 2014, we saw Heartbleed arrive on the cybersecurity scene. What was particularly remarkable about this vulnerability is that it can render the world’s favorite cybersecurity jargon—encryption—completely useless. So it wouldn’t matter if you conducted your bank transactions on a million bits of encryption, it could still be easily compromised thanks to Heartbleed.
You’d expect the reaction, the world over, to be shellshock (which, ironically, is the name of another equally dangerous vulnerability that arrived after Heartbleed)—followed by swift and decisive actions to correct the vulnerability.
Well…surprise! Shodan, which is like a Google for Internet-connected devices—recently said a search performed in January 2016 identified close to 200,000 Internet-connected devices that are still susceptible to the three-year old Heartbleed vulnerability. Furthermore, the top 10 countries these servers are located in are among those on the frontlines of world economic discussions. Topping this list by a truly dominating margin is, unbelievably, the United States.
Here’s the worst part: This situation has no excuse.
There are literally hundreds of free tools and websites available online to identify if your server is vulnerable to Heartbleed. And these are the simple point-click-and-fire kind of tools.
So, folks, this really is an attitude problem. Imagine: One of the world’s most sinister, easy-to-exploit, and not-so-difficult-to-fix vulnerabilities, and our response to it is, “yeah, we’ll get to that … soon.”
Cat and Mouse
Cybersecurity has always been a cat and mouse game, with organizations being the mice that are always trying to protect themselves. But the cats have become better—lean-mean-mouse-catching-machine kind of better. And the mice still don’t want to fix something as simple as Heartbleed.
Given this scenario, hackers today are landing a significant amount of prey without trying too hard. It’s no surprise, then, that hacker attacks are on the rise and we’re up to our eyeballs with media stories on hackers looting and pillaging organizations around the world like modern-day pirates.
So what do organizations need to do to turn around this attitude problem? Here are three steps for getting started.
1. Cybersecurity Awareness Training
Ineffective or nonexistent security awareness training is one of the root causes for a poor cybersecurity attitude. One problem is the kind of training that’s available. We’ve long emphasized that the way organizations go about security awareness training today is obsolete. A bored employee doesn’t learn. An unengaged employee doesn’t care. You need to be innovative and creative to come up with security awareness training that educates, engages and enthuses. Consider videos that are fresh and interesting; tips and tricks that speak to employees in their language and have no hidden corporate agenda except highlighting what’s in it for them in security awareness; and fun face-to-face training sessions that leave them wanting more.
The age of “enforcing” and “policing” is gone. If you want to succeed in security awareness training, try to “sell” your employees the concept. A convinced employee will be a human firewall. A compliant employee will get you exactly that: compliance.
2. Cybersecurity Awareness Training … For the Board of Directors!
That’s right! The biggest reason for poor cybersecurity attitudes at the bottom is the missing tone at the top. While many regulators today are pinning more accountability on top management, why wait for regulators to hiss at you with their menacing fangs showing to make the change? The way hackers have advanced today, it’s no longer going to be enough for top management to say, “Yeah, I’ll just call my CISO in and he can answer that cyber-voodoo question.”
It’s critical for top management to improve awareness and knowledge about cybersecurity, the threats their organization faces due to it and how the organization intends to deal with that. No, we’re not asking the CEO or board member to know the make and model of the latest and best security software or equipment, but we are asking them to know about the measures that their organization is putting into place to combat the latest and greatest threats.
For example: Let’s go back to the Heartbleed or Shellshock vulnerabilities that exposed organizations worldwide to serious data breach risks. A CEO or a board member should understand, at a high level, what the vulnerability was, how it could impact the organization and what steps the CISO is taking to mitigate the risks that the organization faces. Security awareness training is no longer just for employees.
Take a look at this innovative security awareness video specifically made for CEOs, board members and top management.
3. The Vending Machine With an Attitude
Many times it’s not even your own employees with the attitude problem. Third-party vendors are increasingly becoming entry routes for hackers and are the seeds of several recent data breaches. SSAE 16 assessments (SOC1 and SOC2) of vendors will go a long way in giving you (and even regulators, by the way) confidence in your third-party security risk containment efforts. At a minimum, have your third-party vendors undergo an assessment by a security assessment firm of your choice. Why? If you were buying a used car, would you trust your mechanic’s advice or the advice of the car dealer’s mechanic who can’t stop smiling ingenuously at you? Yeah, that’s why.