One of the most frequently misused quotes references the bottom of the totem pole. Many people associate it with negativity – “I’m stuck at the bottom of the totem pole.” However, the bottom is one of the places you wanted to be because it was one of the most honorable positions. It was those at the bottom who everyone relied on to hold society up. Cybersecurity is no different. Those at the bottom now must help hold those at the top.
Twenty years ago, cybersecurity, to most of us, could only be found in science fiction and in campuses whose predications about networks seemed decades away. Ten years ago, cybersecurity mostly consisted of ensuring your antivirus software was up to date and your coworkers didn’t click on links sent from Nigerian princes. Today, cybersecurity should be a bottom to top strategy; focused not only on your IT department, but employees at the very bottom rung of the agency ladder.
Since computers went mainstream and the internet followed in those footsteps, , security was mostly an IT concern. They ensured everyone’s computer software was up to date, they found the best antivirus software and installed it, and they kept out as much spam as possible with tools that seem archaic by today’s standards. Cybersecurity was the concern of the top level, and employees barely needed to lift a finger to ensure the computer in their cubicle was secure.
Times have changed. Cybersecurity now starts at the bottom. In The Heritage Foundation’s “ The Alarming Trend of Cybersecurity Breaches and Failures in the U.S. Government Continues”, two of the incidents they highlight were caused by standard employees. One involving the Commodity Futures Trading Commission was the result of a simple phishing e-mail scam. In this instance a hacker gained access to “sensitive information, including social security numbers.” The other involved the U.S. Army Chief of Public Affairs and a contractor who accidently uploaded a database to a public server, resulting in social security numbers and other personal records made publically available.
Henry Sienkiewicz, Vice Chief Information Assurance Executive and the Designated Approving Authority for the Defense Information Systems Agency, recently spoke at an AFCEA luncheon about cybersecurity I attended. One of the main points he discussed was the need to move away from agency employees simply checking cybersecurity boxes and assuming they are now protected. However, it takes everyone’s awareness of the complete cybersecurity landscape to protect your environment.
Here is a list of three simple ways an employee is a potential cybersecurity risk:
- Bring Your Own Device (BYOD) – Many employees are bringing their own smart devices to work – sometimes they are encouraged to by agencies trying to reduce their budget. However, smartphones, tablets, and personal laptops are largely unaccounted for by your IT department. Without a standard BYOD policy, these devices usually don’t the cybersecurity software installed to protect your agency’s information.
- Phishing – As noted above, simple email phishing scams are still causing agencies stress – 10 years after everyone became aware that the internet just doesn’t give away $1,000,000 for clicking a link. Today, however, phishing scams are, admittedly, becoming more advanced and harder to track. Now scams can involve simply opening a PDF or a hacker pretending to be UPS, asking you to click on a fake link to track an actual package. And if you think phishing is only for smalltime hackers, think again.
- Browser Exploits – One of the easiest ways for a hacker to enter your network is through browser vulnerabilities. Many agencies are still using Internet Explorer 7 and very few require employees to update common exposed add-ons such as Java and Flash. We discussed a specific browser exploit kit called the “Blackhole” which alone accounts for 28% of all web threats.
How can you adapt to this new cybersecurity paradigm shift? Start by working with your IT department to identify all the ways your employees’ actions can potentially weaken your agency’s cybersecurity strategy. Then write policies you and your co-workers understand and can abide by. Next, offer training to ensure that everyone not only understands the new policies, but also knows how to identify, report, and protect themselves from suspicious activities.
One last tip: Take the time to research emerging technologies catered to user weaknesses. For example, there are many products that will help your agency adjust to a BYOD policy. Symantec offers Management and Mobility products for instance. And in case an employee loses a device, SolarWinds offers a User Device Tracker.