Cyber Safety – an Enterprise Change Initiative
CMI and Emerson Human Capital’s Cyber Safety Program
The current state of Enterprise Cyber Security is as complex as it is alarming. Technology solutions continue to evolve in efforts to improve protection and detection. Security Frameworks have been built out, refined and adopted. Employee training efforts have grown in depth and breadth. However it is a rare week when the Wall Street Journal does not have news of a large breach reported on their front page. Every Information Technology professional certainly feels the urgency in the call to action and yet the problem seems to be getting worse. CMI and Emerson Human Capital have joined together to create a Cyber Safety Program to help combat this, but we’ll come back to this shortly.
Recently, several surveys and reports have basically agreed on two facts that underscore both the cost of a breach and our relative inability to prevent or detect:
- The average time it takes an organization to even detect an Advanced Persistent Threat in their infrastructure is now longer than 250 days.
- The most common entry vector for an Advanced Persistent Threat is through the actions (intentional or unintentional) of an organization’s employees.
Ponemom Institute released a report in August of this year calculating the cost of successful Phishing attacks at an average of nearly $4 Million annually. This report was based on a study they conducted of 377 organizations (39% of the companies had more than 1000 employees and 43% of the companies surveyed had less than 500 employees). What we know is that Advanced Persistent Threats are getting inside the enterprise, detecting them is difficult, dealing with the results is costly and the most commonly used threat vector is via our employees, contractors and third parties.
Against this backdrop of scary scenarios, most experts in the field believe that investment in Employee Security Awareness Training helps to lower the risk profile. We completely agree that Security Awareness Training will lower your enterprise risk profile but we have a different view on how that training should be organized and focused.
CMI has worked with the recognized Enterprise Change Management Leader (Emerson Human Capital) to create and deliver a Cyber Safety Program that uses proven Enterprise Change Techniques to actually modify employee behavior. The end result is not to just make your employees “less risky” but to make them “Security Detection Assets.” To do so requires that employees fully understand the Technology and Information Assets that they need to protect as stewards of the company’s interests and assets. From there we identify key behaviors that accomplish the desired outcome of protecting those company assets.
About 10 years ago the United States Military Academy (West Point) conducted a Phishing experiment on their cadets. Each cadet undergoes 4 hours of computer safety instruction at West Point. The Phishing experiment was done on 512 cadets and the failure rate (those who clicked on the link) was 80%. In subsequent years they fine-tuned the classroom instruction and the failure rate decreased but was still around 50%.
We look at this experiment as an example that training may not work – and by itself does not work well. The West Point Phishing experiment used an e-mail that appeared to be a Superior Officer asking the cadets to click on the link (it also included the emotional tug of academic grades). The West Point culture is one that has following the orders of superior officers as fundamental and it is not surprising that the cultural norm prevailed in the cadet behavior. That is an illustration of why our program deals with cultural norms within an enterprise, tapping into the culture in order to raise Security Awareness and modify employee behavior to significantly lower the enterprise risk profile.
The bad guys will continue to find new ways to socially engineer people and organizations. The good guys can train employees on specific trigger-points of “see that and do this” but that does not really change the basic problem. The basic problem is the position that Security is not “I.T.’s problem,” it is the company’s problem. The future state that our Cyber Safety Program is designed to achieve is that company employees have a base understanding of information and technology assets and feel the compelling need to actively protect those assets. Not clicking on email links is an outcome but not a destination.
Chief Technology Officer