Lessons from Anthem: Make Every Employee Part of the Cyber Security Team

[Audrey McNeil <audrey () riskbasedsecurity com>]

https://in.finance.yahoo.com/news/lessons-anthem-every-employee-part-210000904.html

By now, many of us in the cyber security world are combing through a litany
of materials to analyze the causes, motives and methods of the Anthem data
security breach that turned the health insurance conglomerate upside down
and affected more than 80 million people.

There’s a great deal of talk as to how such an instance could have
occurred. Understandably, pundits are pointing to the fact that the
consumer information in Anthem's database was not encrypted. Yet while data
encryption is a key component of any comprehensive security plan,
encryption wasn’t the biggest issue in the Anthem case. In fact, it's only
one tool in a chief information security officer's (CISO) arsenal to
prevent such threats.

Incorporating defensive security measures

The more crucial defensive security measure, I believe, occurred in the way
Anthem detected the breach, and in what that means for how organizations
should leverage all resources to combat cyber threats: At Anthem, a
nonsecurity employee made the discovery when he noticed that his database
credentials were being used to run a query he had not originated. In
retrospect, it’s unclear how much longer the infiltration would have gone
unnoticed had it not been for him.

Here’s the point to take home. The average time for an organization to
detect a breach is 209 days, but maintaining a work environment where
everyone is conscious of security could significantly reduce that time and
the overall losses. The National Security Agency (NSA) headquarters is a
good example of a well-thought-out overall security posture (the Edward
Snowden issue notwithstanding).

You can't walk more than 20 feet into the NSA's headquarters without a
random worker stopping to ask where your badge is if one isn't visible.
Seventy years ago, the famous World War II posters exclaiming "Loose Lips
Sink Ships" were meant to enforce the idea that everyone must be concerned
about operational security. That's still true today: The key is to create a
corporate culture of detecting anomalies that might become real threats and
to involve every employee, not just the IT department.

In other words, incorporate cyber security sensitivity into your overall
corporate culture. Organizations such as the NSA, banks, etc. have, out of
necessity, incorporated a sense of physical security into their corporate
cultures, and today more organizations are feeling an increasing and
pressing need to incorporate cyber security sensitivity into their cultures
as well.

Putting it more bluntly: Organizations are usually hacked from the
inadvertent, nonmalicious, but nonetheless unsafe activities of its
employees.

Four cyber-security scenarios to watch out for:

1. Employees showing their public Facebook accounts which disclose their
complete name and date of birth could provide a cyber predator the tools to
potentially obtain a social security number among other essential
information to successfully infiltrate your company's business and personal
accounts.

2. “Shadow wi-fi accounts” that show up in public places, such as a
conference hall or hotel, prey on mobile devices set to connect to the
nearest open network. Such seemingly reputable access points convince
business travelers to unintentionally expose company information residing
on their iPhone, iPad or laptop.

3. Passwords are tough to remember, so people write them down on a notebook
or unencrypted file on their computer or phone. This common mistake opens
their accounts to an attacker who needs to do just a minimal amount of work.

4. An employee who receives an email from a stranger or sees an ad on a
legitimate website clicks on a link and instantly permeates malware
throughout the company’s network. This isn't a malicious act: The teammate
just didn't realize how harmful that one click could be.

Four ways to incorporate cyber security into your company culture:

1. Emphasize to your entire staff safe computer practices that go well
beyond lists of inappropriate websites to surf during office hours.

2. Give the same care and concern to cyber-security activities for
employees as you give to safety measures surrounding use of the office
building after hours.

3. Train all employees on good cyber "hygiene" (i.e., how not to click on
links in emails; how not to keep passwords in an open digital or physical
medium, etc.).

4. Limit the administrative reach available to regular users. This requires
a not-insignificant amount of employee process modification and change
management, but is key for a company to manage its cyber risk.

These moves don't mean that organizations should ignore their network
architecture, security patch programs, disaster recovery policies and
threat-management system deployment.

These elements remain crucial. However, implementing security measures only
through the IT department and failing to address the overall need for cyber
security sensitivity as a core component of the company’s corporate culture
is like locking the doors in your house but leaving the windows open to let
the outside air in.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!