“Loose Lips Sink Ships” was the catch-phrase of a U.S. operational security campaign to tighten intelligence discipline during World War II. Seventy-eight years ago, a concise, four-word slogan was probably sufficient to remind the average American serviceman and civilian that he might know something that would be valuable to the enemy and that he ought to watch what he said. Today, the average American knows, saves and has access to so much more information—data that, if exposed/disclosed to the wrong people, could harm him, his family, his company and his country. The need for information security and a focus on insider threats has never been more important just as the steps needed to protect that information have become more and more complicated and burdensome.
But it’s a burden we have to accept. The cyber security landscape is constantly changing, and your cyber security strategy must evolve with each new threat. This isn’t a new notion. Anyone leading his company’s security effort knows that the risks change and grow constantly. Each year, new trends and hazards have to be spotted, assessed and added to mitigation plans. As in actual battle, the effort to defend your organization must include dealing with the exhaustion that results from constant struggle. Cyber fatigue is almost as much of a threat as the actual menace of a cyberattack.
Cyber fatigue may be affecting your workforce more than ever. Having to regularly change a myriad of passwords, being denied the opportunity to use workarounds or non-authorized software, having to accept WiFi limits on personal devices and internet surfing from office computers, and being barred from copying data to your personal devices to make working from home easier—these are the kinds of issues that exhaust and aggravate many workers. Good security policy can seem like a drag on the pace of business but you can read about the failure to follow these best practices on an almost weekly basis.
What to do? The problem can seem insurmountable. It’s now a maxim in the business world that there are two kinds of companies: those who know they’ve been breached and those who do not. If the OPM or Target or Verizon or Equifax or numerous others couldn’t protect themselves, how can you expect to? How can you know whether your partners and contractors are acting in a secure manner? And is your company really a target? How can you insure strong cyber security when so many factors make it seem like a futile exercise?
First, by doing exactly what the U.S. Government did in World War II. Enlist everyone from the guys on the loading dock to the suits in the boardroom. Technology can only do so much for you. If only one, properly placed employee ignores the rules, a company might as well write off its technical investment entirely. Convincing the entire company that practical individual security discipline is in everyone’s best interest is the key. Make attacking your company more trouble than it’s worth.
Educating the workforce does not have to be tedious. Train the staff to recognize a phishing campaign or spearphishing ploy by sending examples to the workforce and individual employees. Don’t make it a “gotcha” exercise; perhaps inject some humor into the scheme. Give credit to anyone who spots an attack or asks the good question or comes up with a better idea. Distribute a monthly eNewsletter that highlights noteworthy company cyber events like the number of attempted intrusion detections. Be as candid as you can in explaining where you think the risks are, what hackers may be trying to compromise and the likely consequences if they succeed. Reiterate how failing to live up to sound cyber security policy can impact their personal lives and the well-being of their families. Let everyone know how the fight is going.
Second, make working with your company’s technology as simple and user-friendly as possible. If multiple passwords and frequent changes are an issue, make sure employees have only the access they need. Close/delete unused accounts. Fewer accounts equals fewer passwords. Consider improvements that don’t necessarily require more passwords, e.g., two-factor authentication. If BYOD is what your company needs and the employees want, invest in making it safe with education and proper technical support. Keep the number of notifications and administrative communications to a minimum. If the staff doesn’t need to know about updates and “regularly scheduled weekend maintenance,” there’s no need to tell them. As long as it can be done securely, automate everything you can. If a task or responsibility can be lifted from employees’ shoulders, do it. Insure that your technical security is up-to-date and configured to your company’s requirements. Don’t create more work than you need to do. Make dealing with cyber fatigue part of your ITP.
Changes in the technical threat matrix are easier to adjust to than creating a healthy security environment. The technology, just like the threat, is evolving every day, but people can be relied on eventually to lower their guard or simply be fooled. According to Verizon’s 2017 Data Breach Investigations Report, “66% of malware in 2016 was installed via malicious email attachment.” Nevertheless, any organization can improve its chances of successfully defending itself by making sure its staff knows the possible pitfalls of cutting corners, and recognizes the hackers’ tactics.