The Security Culture Playbook. Perry Carpenter

Читать онлайн.
Название The Security Culture Playbook
Автор произведения Perry Carpenter
Жанр Зарубежная компьютерная литература
Серия
Издательство Зарубежная компьютерная литература
Год выпуска 0
isbn 9781119875246



Скачать книгу

to the fire. All of a sudden, organizations and employees were having to adapt to a new normal: working from home. Organizations scrambled to find ways to allow employees to work remotely and safely.

      The added confusion and chaos of a global pandemic, employees facing new routines and dealing with new systems, and people feeling more stressed and less connected than ever have all come together to create an enticing playground for social engineers. And they are taking advantage of it.

       The added confusion and chaos of a global pandemic, employees facing new routines and dealing with new systems, and people feeling more stressed and less connected than ever have all come together to create an enticing playground for social engineers.

      How Bad Is the Problem of Ransomware?

      Cybersecurity Ventures recently published its forecast for the growth of ransomware over the next 10 years. It's not good. By 2031, “[r]ansomware is expected to attack a business, consumer, or device every 2 seconds […] up from every 11 seconds in 2021” (Braue, 2021).

       Over one-third of organizations globally have been hit by ransomware (International Data Corporation, 2021).

       Of those hit, roughly 87 percent ended up paying the ransom (International Data Corporation, 2021).

       We are now at a point where ransomware isn't just about making your data inaccessible; it's about exfiltrating the data, using it for extortion against multiple parties, and generally doing everything possible to gain leverage and destabilize your organization. You have no choice but to assume that a ransomware incident is a data breach (Sjouwerman, 2021).

       Social engineering via phishing, vishing (voice phishing), smishing (phishing via text message), and social media are all on the rise (Phishlabs, 2021; Martens, 2021).

       The global average cost of a data breach is $4.24 million (IBM, 2021).

       The global average cost of a ransomware attack is $4.62 million (IBM, 2021).

       The average per-record cost of a data breach is $161. That goes up to $180 if the record contains customer personally identifiable information (PII) (IBM, 2021).

      All of this rises to the level of materiality. And material risk is one of the most important things that an executive team and board of directors is concerned with. This is why it is so important to make your human layer of defense a central part of your cybersecurity narrative.

       Your People and Security Culture Are at the Center of Everything

      Your people are the most important element of your cybersecurity program; ignore them at your peril. Technology will only get you so far. So it's time to elevate human-layer defense to the forefront of the conversation. And it's time to deliberately and methodically focus on security culture.

       Humans decide what technologies to purchase.

       Humans decide what risks to focus on and how to gain visibility into those risks.

       Humans determine the need for new processes.

       Humans review and tweak the settings of business technologies.

       Humans are in charge of running, patching, and maintaining your security technologies.

       Humans design and code the applications you develop in-house.

       Humans review your third-party risk.

       Humans decide how they will respond to something that looks suspicious.

       Humans decide (both consciously and unconsciously) how they will react to the systems and information they interact with each day.

       Everyone you hire, contract, interact with, or sell to is human.

       Everything you design, sell, or develop business from is ultimately in service of humans.

       Everything and everyone in your organization is impacted by the decisions, behaviors, and expectations of other humans.

      Your people and your security culture are the heart of your cybersecurity program. In this book, we'll share a number of interesting (and maybe even shocking) insights related to how your security culture will either be a net benefit or a huge liability for your organization. Here's an example.

      Let's put that into raw numbers. In organizations with a “good” security culture, one employee out of 1,000 is likely to be tricked into giving away their credentials or entering other sensitive data as part of a phishing scam. But, in organizations with a “poor” security culture, that number jumps to 1 out of 20.

      Our data shows that, in organizations with a “poor” security culture, 1 employee out of 20 is likely to be tricked into giving away credentials or entering other sensitive data as part of a phishing scam. That's in stark contrast to organizations with a “good” security culture, where that number is reduced to 1 out of 1,000.

      That's just one stat and one way of measuring the benefit of having a good security culture, but it makes the point: Focusing on your security culture is critical to your overall cybersecurity program and critical to the overall risk posture of your organization.

      Traditionally, the board of directors required reporting based on an increasing risk to the business. For example, back in the early 2000s, the threat of computer viruses wasn't on the radar at the board level; it rarely rose higher than senior IT leadership. However, as the impact of data breaches, destruction of complete networks, and direct monetary theft became a reality, corporate boards took notice. They ramped up the reporting requirements, wanting increased visibility into their defenses. They even created new roles, such as CISO, that often had direct reporting to the CEO or even the board.

      Ransomware, social engineering, and human error have proven to be an existential threat to businesses of all sizes.

       Ransomware, social engineering, and human error have proven to be an existential threat to businesses of all sizes.

      Intellectual property theft, multi-step extortion, customer and employee data theft, multimillion dollar ransom payoffs, brand and reputation damage