The human error is the most common cause for cybersecurity incidents. Some reports indicate they are responsible for up to 90% of incidents.
Directors can ensure their companies have the latest and greatest technological firewalls, but without proper employee training and protocols, it won’t mean much. Sam Srinivas, Product Management Director, Information Security, at Google, says that boards need to “set a culture of proactive improvement of information security in their company.”
Srinivas will be speaking at the Cyber Risk Forum in San Francisco on March 4th, on the panel titled, “The Human Factor: How CEOs and Boards Can Ensure Your Employees are an Asset, not a Liability, in the War on Cyber.” In advance of the event, Corporate Board Member spoke to Srinivas about steps boards can take to help reduce the human error at their organizations.
How can boards help make cybersecurity a strategic advantage for their organization?
By keeping a core focus on cyber risk in the company, the board can set a culture of proactive improvement of information security in their company. At the most basic level, such a focus reduces the chances of a major breach and the attendant catastrophic consequences.
At a more strategic level, a company with well-implemented security gains flexibility and adaptability. For example, if the company allows employees to work from home, a cafe or their own device, this can radically boost the employee’s productivity, morale and perception of freedom. But such access also has to be safe — it may not be appropriate to allow access to very sensitive information from a home device. It is possible to implement security such that depending on the employee’s context of access only the appropriate information is accessible. The workforce can thus enjoy flexibility in a responsible way.
As another example, a company may need to collaborate with customers and give them controlled access to the company’s internal information systems (eg, to check inventory status). With well-designed security, customer access from outside to company internal systems can be made easy and delightful for the customer, thus bolstering the business. With older security models, such access may not be possible to enable at all, and this becomes a business inhibitor.
What are a few of the steps boards can take to help reduce the human error at their organization?
The board can encourage the company to implement the “only what they need” principle throughout the organization — this can radically reduce the chances of human error, both inadvertent or malicious.
For example, say, a particularly sensitive production dashboard may give material advance information about a company’s financial results. This should be locked down to only those who need to see it and perhaps access should be allowed only from company-managed devices which are at lower risk of compromise.
As another example, consider an employee who needs access only to web-based applications and is given a powerful PC to do so. The employee can inadvertently install malware on the PC by, say, going to a bad website and compromise themselves and the company. Instead, if the person has a locked down modern browsing device such as a Chromebook, the problem of malware is mostly solved since nothing can be user installed on the device.
What are a few initiatives that companies are taking to mitigate cyber risks through culture initiatives?
One of the primary attack vectors against employees is phishing — this is because it is an extremely effective means of stealing employee passwords (and even one-time passwords (OTPs)). Many companies now have internal campaigns educating employees about these and even send phishing emails with a “You got phished” warning to train employees about the risks. Similarly, they may deploy browser extensions that detect when the employee uses their corporate password on any other website so the password can be disabled.
These employee training initiatives are good steps, but companies have to consider new solutions which solve these problems at their root. For example, 2nd factors based on new standards such as FIDO are available which cannot be phished — these are fundamentally better than OTPs which are easily phished. Implementing such technologies takes some of the responsibility off of the employee’s shoulders and moves the solution into the infrastructure.
Why should people attend your session?
In this session, I will discuss how boards can make people their asset by empowering them rather than putting them into straight jackets. I will discuss the BeyondCorp approach to information access, something that Google has deployed very successfully for its employees over the last few years. This turns security inside out and puts all of the company’s information resources directly on the Internet, but with strong application level safeguards which makes the overall security superior to the traditional model of having a firewall around the corp network with free access only from within. This new model leads to radical flexibility and ease for the various constituents who need access to a company’s information resources including employees, vendors, contractors, customers and partners.