Cybersecurity is as Much About Culture as Tech

When companies think about cybersecurity, their first instinct is to think about what technology they have in place to stop hackers.

But technology is only half the picture, and it may not even be the most important half.

I have been attending the FBI Citizens Academy at the Bureau’s Cleveland Field Office. It is a program the FBI runs every year to explain its mission to the public. At a recent session, we heard from a cyber-squad leader who shared some of his experiences with responding to crimes.

He said that the companies that respond the best to attacks by hackers are those that have developed a good security culture within their organization. The reason is that will all of the devices, systems, and software that companies and their partners use, there is likely a technical exploit in the system. Additionally, cybercriminals have gotten increasingly sophisticated with their approaches to employees. While no one likes to think they can be tricked, the reality is everyone is susceptible.

So, what should companies do? Here are some high-level takeaways from the presentation that deal with both technical and cultural aspects.  While they are not a panacea, they can help companies think about how to improve their defenses.

Technical Defenses

• Identify your most important digital assets and wrap them in layers of security. This offers the possibility of detecting an attack before it does severe damage.
• Keep software up to date. Apply patches as soon as possible. (If you can’t update software immediately or need to run tests, then increase monitoring of the exposed areas.)
• You are a risk to everyone you deal with, and they are a risk to you, so make security standards part of your contracting process with vendors.

Cultural Defenses

• Train Your Employees – Let them know what phishing e-mails look like and create ways for them to verify requests that don’t rely on a potentially hacked system.
• Eliminate Blame and Shame – Time is of the essence when a cyber attack occurs, you want to encourage people to report problems early, even if they were the one who clicked on a link they shouldn’t have.
• Have a Plan – Know what you are going to do and who is responsible for what part of the response. Hacks are not just an IT problem, you will need to communicate and take action with customers, vendors, law enforcement, and internally. Are you ready for all the implications of the attack.
  • Practice – Run tabletop exercises so that people are ready when and if something happens. This can also help you find things you may have missed in initial planning.
  • Build Resiliency – Learn from your plan and practices and make adjustments.
• Share Knowledge in Your Industry – Sharing knowledge and intelligence helps everyone defend themselves. We know that criminals work together, so the industry needs to as well. Sometimes this means working with your competitors, but it is better to help a legitimate competitor by talking than a cybercriminal by staying quiet. The IPA hosts regular calls with fraud prevention teams to encourage intelligence sharing.
  
  

Work with Law Enforcement

• Report Attacks – If you have been hacked, let the FBI know. In some cases, they can help companies mitigate attacks and recover stolen funds.
• Preserve Evidence – If you have intrusion and access logs or other data, use that. It can help identify and catch criminals.
• Understand the FBI’s Role – They will not share data, publicize the breach, or seize your servers.

 
The only thing that can eliminate all cyber threats is going completely off the grid. Since that is not an option in our modern society, we all need to develop best practices to increase our security. Following the above steps can give any company a good state.

More resources can be found at:

• Cybersecurity and Infrastructure Security Agency: Resources and Tools
  
• FBI Cyber Crime 
• Internet Crime Complaint Center