Government manages by landmine, as do many private sector businesses - I don't think anyone would disagree. Government cannot be convinced to act proactively in the face of a perceived threat - the impact must be actually felt before legislative or board action is taken. Predictions of lost business, brand damage, fines, or increased regulatory oversight fail to move the needle - although recent class action suits and accusations of executive gross negligence seem to have some pucker power.
Policy, or the set of rules under which we are either mandated to, or agree to operate can be a powerful security tool - especially with a technical enforcement mechanism, and we're coming up on the time when policies are needing a hard look for what they can achieve.
Way back when I was CISO of a US City known for its tech business, we collected metrics used to demonstrate that 40% of the compromised assets in the organization were due to the use of personal e-mail. 40%! After spending all the money to ensure that Outlook was free of bad attachments, links, and spam - users could have a web browser open to their ISP email account, happily going through all the clickbait they've attracted through online activities. So how effective was it to spend all that money? Further, it's reported that 91% of "hacks" start with phishing to obtain credentials for easy entry, and social media exposures make the creation of compelling bait that much easier.
So follow the logic here: attacks start with phishing for credentials, social media sites are rich sources of targeting information, and personal e-mail use is a significant attack vector. Therefore, disallow personal use, and a lot of the problem goes right off a cliff! Through a policy change! If personal use was constrained to personal devices, you will have raised the cost for threat actors to gain entry.
Everyone understands that the Internet is a useful tool for research, marketing, outreach and customer engagement. But those activities are different from the entertainment aspects of social media, personal communication, and just "surfing" - so technical enforcement of the policy would be nontrivial. However, a stated policy, combined with the occasional public hanging for noncompliance would be a powerful demonstration of commitment. The time is coming to separate the church of Facebook from the state of business and government operations.
Type your search and press enter
- Threat Intelligence
- Happy Hour
- InfoSec 101
- Security Awareness
- Public Sector
- Financial Services
- Press Release
@critinformatics | Aug 21, 2018While enterprises are distracted by the latest AI/ML/SOAR tool, small businesses are getting back-to-basics and moving the #security needle. Read insights from @seattlemkh on how to simplify the #cybersecurity program effectively on a small biz budget. https://t.co/lv2f12C9FL https://t.co/a7FaBge9UL
@critinformatics | Aug 21, 2018RT @beyondnegative: Yay for stable internets! Go download my presentation and workshop outline/notes on Github: https://t.co/APcsUxxzS7
@critinformatics | Aug 21, 2018#ICYMI: Learn the 5 key questions that the #CISO should consider when conducting #riskassessment, and how those answers can support budget requests for the #cybersecurity program. https://t.co/lLibAzTUWF https://t.co/cVudQc4f23
@critinformatics | Aug 20, 2018#ICYMI: [VIDEO] It's #NewsJacker time with CI Security's #CISO @seattlemkh! Get caught up all the recent #InfoSec news you need to know, including stories on stolen data, privacy, #InfoSec litigation, Russia’s election meddling, and more. https://t.co/qsixvM7rI0 https://t.co/0Z4waKbRKy
@critinformatics | Aug 20, 2018While enterprises are distracted by the latest AI/ML/SOAR tool, small businesses are getting back-to-basics and moving the #security needle. Read @seattlemkh's insights on how to simplify the #cybersecurity program effectively on a small biz budget. https://t.co/nW5RBUG4k8 https://t.co/83WQ7FqkJ3