What Can We Learn?
Without knowing all the facts, the Clintonemail.com server issue is still a great example of how the human factor can completely neutralize security controls if those controls conflict with usability and are bypassed by users. Despite the fact that protecting classified information is central to the mission of the Department of State, Clinton developed and implemented a more efficient, yet less secure unapproved workaround to communicate electronically. In this case it seems efficiency was more important to the end users (Clinton and her team) than the risk of possibly exposing classified information.
Unlike the Department of State, most organizations are not charged with protecting classified information, the consequences of cybersecurity failures are less known and there is often limited oversight of employee activity. It is logical to assume that that employees in organizations of all sizes are putting their employers at risk by working around security controls and willfully or unintentionally ignoring technology use policies. Think about your organization for a moment, do you know if your employees are following technology use policies and using official approved methods for storing and communicating sensitive data?
The most important take away from this high profile example is that security controls are only effective if they are used, and there must be a balance between security and usability. Now is the time to think about how your organization encourages a cyber secure culture and handles technology use and cybersecurity policies. Here are some quick tips that can help you with the process:
Tips to increase balance between security and usability of existing cybersecurity policies:
- Create a Cross-Functional Security Policy Development Team: Most companies have security policies and technology use policies that have been developed organically or on an as-needed basis. Revising policies, educating users, ensuring policies are followed and technology is used correctly can be more of a challenge. One strategy to improve the security policy development, revision and implementation process is to create a Cross-Functional Security Policy Development Team. The team should be comprised of a member of the leadership team as well as individuals from each major business unit. Business unit representatives should have institutional knowledge about the organization as well as experience using critical systems, applications and technologies common to users in their area. The team must also include a member of the IT or cybersecurity team.
- Establish Cyber Champions: After the Security Policy Development Team is established, members from each business unit will become cyber champions for the organization. Everyone in the organization should be aware of the designated cyber champion for their business unit. Cyber champions play a critical role in building a cyber aware culture in the organization by establishing a communication channel to disseminate information about security policies, technology use policies and consequences of not following policies or using technology incorrectly. For individuals in each part of the organization, the cyber champion is the go to person to raise questions, concerns or issues with policies that impact usability and the ability to get the job done. They can also serve as the liaison to the IT or cybersecurity team and be the first point of escalation for common cybersecurity related concerns individuals encounter. The cyber champion role can also be expanded or leveraged in other activities designed to encourage cybersecurity awareness and the development of a cyber aware culture.
- Bottom-Up Feedback Channels: Talking about cybersecurity problems and raising concerns about organizational policies that don’t work can be intimidating for the average person. There have to be consequences for ignoring policies and misusing technology, but there also needs to be a place to turn when something doesn’t seem right or when technology and policies prevent people from doing their jobs effectively. The cyber champion in each business unit can serve as the point person to help increase communication to the IT/Cybersecurity teams and also raise individual concerns to the security policy development team and leadership for the purposes of continuous improvement, oversight and enforcement.
- Leadership Engagement: It is important for the team to meet on a regular ongoing basis and at least one permanent member of the leadership team should attend each meeting. Leadership participation will give legitimacy to the team and show the entire organization that cybersecurity is an organizational priority. Participation from leadership is also required to maintain a two-way communication channel from the bottom up and top down throughout the organization. During the meetings the team will discuss new policies, review existing policies, share technology use trends/issues and employee feedback from each business unit in the context of the current and emerging threat landscape. These meetings also give the IT/Cybersecurity team a chance to educate leadership and users about cybersecurity successes as well as new and emerging threats.
- Repeat and Expand: Cycle the members, update scope and responsibilities of the team as necessary to meet the needs of the organization as priorities change and the threat landscape evolves. Use employee feedback to improve policies and keep everyone in the organization engaged in the development and implementation of policies. The commitment from leadership combined with ownership and involvement from individuals throughout the organization will not only encourage correct behavior and enable oversight and enforcement, but also help turn the human factor in the organization into a cybersecurity asset.
At PSA, we believe that technology should enable business not prevent it, and cybersecurity is an organizational strategy, not something that lives behind a locked door or in the cloud. If you would like to learn about how cyber insurance can help your organization manage cyber risk, or if you are simply interested in a conversation to help implement the tips discussed in this blog we are happy to assist. Feel free to contact me at firstname.lastname@example.org.