A little competition could be a good thing, especially when it comes to building a cyber security culture, cyber expert Michael Echols suggested last week during a symposium co-hosted by the Travelers Institute and Economic Club of Canada.
Developing a solid defence against cyber attacks requires considering the people side of the equation, said Echols, executive director and CEO of the International Association of Certified ISAOs (Information Sharing and Analysis Organizations), or IACI.
“Creating a culture of cyber security is dependent on you getting people in your organization to become competitive,” he noted at the symposium in downtown Toronto.
“They have to believe that they can protect their environments and they have to understand that it’s incumbent upon them to use best practices,” he emphasized.
“You have to work with the people in your organization so that they can understand the culture of cyber security and how important it is,” Echols advised attendees.
Staff members also need to know “the success and the future of your organization is dependent on them and the failure of your organization from a cyber attack or a breach affects them,” he added.
Awareness is crucial given that spear phishing – people clicking on an email attachment containing a malicious embedded link – is “the number one attack vector,” he reported. “Since we know this, we should plan for it and you should spend the money on training,” he advised.
Beyond awareness, training and planning, though, should also be the plan to fail. “Most of the issues come from errors and mistakes, not from hackers,” Echols said.
“If we use the best practices that currently exist, already on the books,” he argued that “we will kill 80% of all breaches.”
Echols’s advice? “Think about the worst thing that could happen and plan for it. Think about the lowest-level person in your organization that has access to your data, who has access to your systems and include them – as a matter of fact, make them a sentry, make them important in your organization,” he recommended.
Echols’s talk was part of the Travelers Institute’s Cyber: Prepare, Prevent, Mitigate, Restore symposia series for small and midsize businesses and organizations.
“Small and mid-size businesses are particularly vulnerable,” Joan Woodward, president of the Travelers Institute and executive vice president of public policy for Travelers, said in a company statement.
“By better understanding the risks, they can take the appropriate steps to protect their private information,” Woodward added.
Echols noted that an IACI small business analysis carried out last year showed there are scalable and affordable solutions available to small and mid-sized businesses.
Even so, “the small businesses aren’t buying them. Why?” Echols asked, responding “because the small businesses are the attack vector right now.”
He suggested “they’re the easy way in, and in most cases, they are attached to those larger enterprises and critical infrastructures,” such as those relating to transportation, telecommunications and IT.
That being the case, he suggested that small and medium-sized businesses need to part of the discussion to develop a cyber solution.
“Why do we care about small businesses?” Echols asked. In both the United States and Canada, most of the gross domestic product “comes from small and mid-sized businesses and they employ most of the people.”
And then consider “that once a small and mid-sized business determines it has been breached, it’s typically out of business within the next six months,” he added.
“It’s important to protect small and mid-sized businesses, and more important, for those small and mid-sized businesses to protect themselves.”