People, Process and Security
Now that we are well into November and CyberSecurity Awareness Month is behind us, we can all forget about complex passwords, securing our firewalls and using encryption. After all, that’s why we hire cyber-security experts, right?
Unfortunately, no. What is closer to the truth is that each of us have as much involvement in cyber-security in our respective organizations (or homes), as the person hired (or asked nicely) to do that job. To “be secure,” we must consider our roles and how what we do supports the security controls in place.
Effective security is often considered to be a series of products or services put in place to protect us and our assets. We install locks on our doors, use codes or keys on our safes and workplaces use access cards. The approach that many of us experience suggests that the stronger the lock, the more difficult it is for a malicious agent to access or take what is ours.
Not so in the digital world. As we all know, we face a constant threat of viruses, fraud, identity theft and ransomware, all from just opening our email. Strong locks on our digital doors are a start, but technology is only part of the solution. As strong as the lock on our security perimeter might be, the people that we interact with and the processes that we build and follow can create the back doors that hackers look for.
So when we consider the effectiveness of our security practices relative to the cost, often calculated as the Return on Security Investment, where do the investments in training and process controls fit? The return on our security investment often overlooks our everyday investment in training: advising users not to click on emailed links and to practice good password etiquette are great examples of everyday security measures. Of course, sending an email to the organization or defining a process with integrated security controls must yield a positive return because of the low cost and high mitigation ratio that it brings. And achieving a positive return, for the business and home user alike, is the goal of any investment that we make.
