Cybersecurity Awareness Month: See Yourself in Cyber
Every October since 2004 has been designated as cybersecurity awareness month. This year’s theme is “See Yourself in Cyber” which recognizes the key role people play in cybersecurity. The United States government Cybersecurity & Infrastructure Security Agency has cybersecurity awareness presentations, tips, guidance and an awareness toolkit that can be used to create your own cybersecurity awareness month campaign.
One area that is mentioned is regular training of employees on cybersecurity basics. Employee training is always a part of any cybersecurity awareness campaign, but it is usually focused on phishing vulnerabilities and other well-known – and well-used by criminals – social engineering methods of gaining unauthorized access.
What is rarely mentioned is the threat of a deliberate or accidental insider attack. We all want to think that employees are trustworthy, loyal workers who would never think of stealing or compromising corporate assets. But as this year’s theme is focused on people, we must consider that employees can be creatively devious when it comes to cybersecurity. People tend to be unreliable cyber security partners when it comes to objectives and cyber security is seen as a barrier to achieving a goal.
Despite awareness training and cybersecurity tools, people can be very good at finding workarounds to cybersecurity basics. An example is the use of file shares or other data sharing / collaborative tools. Shared space is created for a specific purpose and access is managed by the owner of the shared space. The problem from a cybersecurity perspective is that there is no control of what data is placed in the shared space and access management is left to the owner, who may grant access freely to anyone who requests access.
Over time, shared spaces become data landfills where no one, not even the owner, really knows what data is residing on the shared space. Because employees often use shared spaces to effect workarounds to security, shared spaces may include critical company data, personal data or other data that should never be outside the protection of an application’s database.
Human nature is unlikely to change because of a cybersecurity awareness campaign. What can be done is to manage access to company data and deploy cybersecurity tools that detect data transfers.
The most difficult, but most successful approach is to design cybersecurity into systems and processes such that effective, believable security is not complicated and is easy to use so that employees are not tempted to create security workarounds.