Creating secure environments where we can conduct business safely, protect our customers, and create value that others can’t easily steal requires real determination to do things differently. We’ve seen plenty of organizations with large investments in security hardware and dedicated security teams suffer massive compromises. Real cybersecurity, however, involves a cultural shift at all levels of an organization that puts security first.
It’s the second week of National Cyber Security Awareness month. Last week we talked about educational components necessary to end the cycle of “cyber attack victims”. This week, though, we focus on an area in which many of us feel secure already: our places of work. Our offices and campuses often already have firewalls and other network security measures in place, so they’re inherently safer, right?
To some extent, that’s true. Even a mediocre firewall with gateway antivirus and content filtering helps keep users out of trouble, blocking many malicious websites and catching a variety of malware before it even hits our devices. We feel safer because someone (the information technology group, network security specialists, etc.) is watching out for us.
Unfortunately, one of two things often happens in a setting like this:
I spent quite a few years as a school IT administrator and I often commented that if students expended as much energy on their studies as they did attempting to bypass content filters, we’d have a nation of Rhodes Scholars. While the average employee is rarely as persistent as the average student in their efforts to circumvent security measures, but we observe attempts to use proxies and anonymizers in organizations far afield from education.
Organizations implement content filtering and application control for a variety of reasons. Regulatory requirements, productivity concerns, and malware control all play into the rationale. Do some businesses take a more Draconian approach than they should? Yes, most of us have worked somewhere that we feel controlled instead of empowered. And do some organizations do a poor job of communicating policy and rationale? Of course.
These kinds of missteps contribute to a culture that gets in the way of security instead of supporting and ensuring it. Controls, though, have a critical place in network security. What is often missing is a clear sense of the purpose and scope of these controls. Implementation will differ between organizations, but the real goal should be a shared sense of responsibility for security.
We talk a lot about layered approaches to security. Technology like content filtering is one of those layers and can keep us from stumbling into the nether regions of the internet where malware and other attack vectors lurk. It isn’t, however, a replacement for vigilance and mindfulness, especially as our devices are increasingly used both on and off our networks and the lines between work and play continue to blur.
Again, without a shared sense of responsibility and an organizational culture that is transparent about security and related policies, it’s easy to assume that technological controls will provide all the protection we need. In fact, as with most aspects of security, it’s the combination of infrastructure, software, and people who protect an organization and its data.
Organizations can promote a culture that puts security first by empowering employees to make good choices, educating them on security best practices and relevant threats, and being abundantly clear about the rationale behind security policies. Transparency and education create a culture in which employees support security instead of circumvent it and where staff are active participants in cybersecurity instead of passive bystanders.