Cybersecurity: Not Just an IT Issue

Culture that secures your data
Matthew Polatsek
February 2, 2023

One of the most significant steps an organization can take toward fending off cyber-attacks is fostering a cybersecurity awareness culture. It is no longer acceptable for employees to believe that cybersecurity is solely an information technology (IT) issue.

Strong cyber defense is about much more than having good technology. In fact, the most significant gap in cyber security is often ignored; the human element.

Imagine if your workforce was composed of human sensors, ready, willing, and able to spot and report suspicious activity on the network or their end-user devices(s). Developing an overall awareness of potential threats while ensuring that basic cybersecurity precautions are taken should be a fundamental part of any organizational business strategy.

2023 should look similar to preceding years with respect to cybersecurity. Credential compromise, phishing, exploiting misconfigurations, and ransomware will continue to dominate as preferred attack methods. More importantly, to quote directly from the 2022 Verizon Data Breach Investigations Report (DBIR), “the human element continues to drive breaches. This past year, 82% of breaches involved the human element. Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike.”

What, then, can we do? I have often heard the phrase “Humans are the weakest link” in my cybersecurity professional career. If this is, in fact, the case and appears to be as evidenced by Verizon’s DBIR, why aren’t we spending more time and energy on ‘securing the human’?

Far too often, cybersecurity fails because IT or cyber teams tend to mandate what their workforce must do but never explain the ‘why’ behind it. As a result, there is frequent resistance when attempting to change user behavior and implement desired security initiatives. “Culture eats strategy for breakfast” rings true a little too well here.

Each department may face a unique set of potential security threats and circumstances. Finance and/or Accounts Payable departments may encounter fraudulent invoices sent to them, routinely targeted from spoofed email accounts. Human Resources needs to act swiftly during the employee termination process while IT works to decommission access and/or accounts. Client-facing teams may be near closing a deal only to find out a contract requires an attestation of SOC 2 compliance from the organization’s cybersecurity team.

Keep it Simple

Security doesn’t need to be complicated to be successful. Businesses that apply the principle of simplicity to their overall information security programs have employees who display desired security behaviors. Even the National Institute of Standards and Technology (NIST) is catching on to adopting simplicity, recognizing the need to reduce complexity in the broader cybersecurity ecosystem. One such example includes the simple password policy. Most of us are very accustomed to seeing the following:

  • Passwords must include a number, symbol, and upper and lower-case characters.
  • You must change your password every 90 days.

The aforementioned Verizon DBIR mentions passwords and their importance on more than 15 occasions. It may surprise you to learn that NIST did away with password expiration and password complexity several years ago. As it turns out, requiring frequent password changes tends to lead to user behavior that weakens a password’s strength. Complex passwords may be difficult for an adversary to crack, but they become equally hard to remember. It has been observed that when a user is forced to use a complex password and frequently change it, they will inevitably revert to creating new passwords that are simple variations of – you guessed it, their previous passwords.

A study by the University of North Carolina at Chapel Hill illustrates why user behavior can prove problematic. Researchers were provided with 10,000 user accounts, all belonging to former UNC personnel. As is typically the case, the personnel were required to change their password every 90 days. The researchers were then given at least four of the previous passwords associated with any one account in an attempt to determine an account’s current password based on the makeup of the four previously used. No brute force password cracking was necessary or even attempted, as a good portion of the time, all that was needed was to transform the previous password with a digit, e.g., “Password1” to “Password2”, or replacing a character with a symbol, e.g., replacing the letter “S” with the number “5” (five). All in all, success rates averaged about 17%.

What can be done to simplify these processes? We can start by leveraging technology in our favor, such as:

  • Using multi-factor authentication in conjunction with passwords.
  • Leveraging Single Sign-On.
  • Replacing password ‘complexity’ with passphrases.

Inspire Change

Humans are the attack mechanism of choice, which is why managing human risk has become so important. While leading organizational change and influencing behavior can be challenging, adopting the right approach and obtaining leadership team buy-in will go an exceptionally long way. The good news is that reinventing the wheel is no longer necessary to influence organizational change. As executives, you don’t need to be cyber experts, but you should play a role in building a business that prioritizes security and welcomes IT to the decision-making table.

Today, there are many valuable models that leadership teams can utilize to help drive desired organizational behavior, integrating cybersecurity into their strategic business plans. Examples include:

ADKAR model

  • Awareness (of the need for change)
  • Desire (to support the change)
  • Knowledge (on how to change)
  • Ability (to exhibit the change)
  • Reinforcement (to sustain the change)

AIDA model (Awareness, Interest, Desire, Action)

ADDIE model (Analysis, Design, Development, Implementation, and Evaluation)

Next Steps

Businesses can obtain the organizational outcomes they desire by involving all employees, leveraging sound methodologies, putting security into simple terms, and monitoring and continually evaluating changes. Leadership ultimately defines the culture not by what they say but by the behaviors they reward, punish, and tolerate. We hope your executive team will join our upcoming webinar, Cybersecurity: A C-Suite Priority, to learn more about how to build a culture of security from the top.

Matthew Polatsek