Editor's Pick (1 - 4 of 8)
Leveraging Biomedical Big Data: A Hybrid Solution
Innovate Digital Services To Accelerate Business Growth and Opportunities
Data Analytics: New Edge for Success
Turning Big Data into Big Money
Finding Talent is a Challenge
Max Mortensen, CIO, Norwegian American Hospital
Leveraging the Power of the Enterprise to Streamline and Secure DoD's IT
Terry Halvorsen, CIO, US Department of Defense
Our Calling and Time
Vincent A. Marin, CIO, Sidley Austin LLP
ERP: A New Age of Innovation
William R. Dyer, CIO, Cincom Systems, Inc
Reinforcing the Weakest Link of Your Cyber Resilience Program
By Keith Burkhardt, Vice President, Kraus-Anderson Insurance
As it turns out, the breach was traced back to a recalcitrant employee who, despite warnings from his IT department, persisted in using his laptop on an insecure Wi-Fi in a particular coffee shop. To further complicate matters,this was not just any employee; it was the CEO himself.
As the decidedly analog Pogo once said, we have met the enemy and he is us.
In my discipline of risk management, we work closely with CIOs, owners, and other business leaders to identify and address the risks inherent in information systems operations. Over the past 3-4 years, we’ve seen considerable progress in the way companies, particularly more nimble companies have ramped up their cyber resilience efforts in multifarious ways: implementing rigorous data hygiene, addressing storage vulnerabilities, tightening intellectual property and protections, and developing systems response plans. As understanding of cyber resilience has evolved, more CIOs are now taking a well-deserved and needed seat in the C-suite, advising CFOs and CEOs to make more proactive decisions about IS investments in the interest of risk management.
Yet even as businesses have gotten better about cleaning up their information systems’ vulnerabilities, the biggest vulnerability of all is the one you can’t exactly toss out: i.e., the humans that the systems are designed to serve. Even the most dedicated CEOs can bring traits to the table (rushed, fatigued, not always keeping up with learning) that put them at risk of becoming a hacker’s unwitting best friend.
Nor are they the only ones to be concerned about. That millennial sipping coffee next to the CEO might be using a dedicated VPN, but may also be spilling secrets by talking too loud over his Bluetooth, or over-sharing on social media. And we all know what Equifax was using for its password, right?
Regardless of our training or demographics, we all have our strengths, weaknesses, and blind spots. So what’s a CIO to do?
The opportunity for today’s CIO is to take steps to establish, elevate, and draw out a baseline of cyber resilience competencies among users
Play Where the Puck is Going
As advisors and consultants, our team tries to follow the advice of hockey great Wayne Gretzky and anticipate where the puck is going. In the case of cyber resilience, I think CIOs would do well to take aim at the human risk factor.
Mind the Gaps
Spend some time looking at the gaps in your cyber resilience system protocols. Self-evaluation is one tactic. One of our KA colleagues, Mike Benz, Director of IT at Kraus-Anderson Construction Company, has developed a self-evaluation tool based on criteria from the National Institute of Standards and Technology (NIST) designed specifically to help contractors evaluate their ability to identify, protect, detect, respond, and recover from cyber events.
Benz notes that, “The tool suggests specific improvements in areas where the company has the biggest gaps, compared with industry averages and best practices. Each recommendation balances cost with risk reduction potential.”
Probably one of the best investments you can make is identifying your users’ behavioral risks and addressing these with training.
Cyber security providers such as Darktrace leverage powerful AI algorithms that mimic the human immune system’s defenses to provide 24/7 monitoring of employee’s data use, flagging all problematic behavior to spot emerging threats that would otherwise go unnoticed.
As employees may have overlapping understandings of systems, cyber resilience is compromised with varying understanding. Online training can smooth out those sometimes wild swings in levels of understanding and help companies establish a level set point of cyber resilience competency among employees. Our agency maintains a client portal online training center that offers a series of 5 cyber risk courses that can be taken in an hour or less with documentation of completion. The trainings reveal gaps in understanding that can indicate to supervisors where further attention is needed.
Get Onboard with HR
Another opportunity for the CIO is to get embedded in the process of hiring new users. Just as companies maintain regular training relating to safety, discrimination, harassment, and other vital standards, cyber resilience training can and should become baked into your employee onboarding, life cycle, and exit protocols.
And, with a nod to your HR colleagues, consider bringing cyber closure to the exit interview. Offering last-chance amnesty for full disclosure of any competitive data that has been illicitly shared during the employee’s tenure could mitigate many post-termination issues. Such prudence allows the company to avoid expansive forensic and legal costs.
However sophisticated the learning curve for your team, cyber security events still rely on user error, manipulation, and exploitation of bad habits. Now that you’ve cleaned up your systems, the opportunity for today’s CIO is in making proactive choices to anticipate where the puck is going; and to take steps to establish, elevate, and even draw out a baseline of cyber resilience competencies among your users.