Publications

Office of Personnel Management, SONY,Target, Anthem. Most regular news readers will recognize these companies as the victims of successful malicious attacks culminating in data breaches of unprecedented magnitude.

 

But the majority of us are unfamiliar with the trials and tribulations suffered by the senior leadership of these corporations. Did they fully understand the threats facing them and the vulnerabilities in their corporate environments? Or did they misperceive the risks of being exposed in cyberspace?

​

Since 2015, several billion financial records have been breached. The website InformationIsBeautiful.net delivers a not so beautiful infographic depicting the worldʼs biggest data breaches over the last 15 years. It reveals over a billion records breached in that time period, beginning with the 2004 breach of 92 million records by a malicious insider at AOL.

 

 Surely these incidents reveal some failures in technology, but many of the companies breached were “hard and crunchy” on the outside with state-of-the-art intrusion prevention systems, next generation firewalls and state of the art technical controls.

 

Like their peers, they never realized that machines cannot protect against the wiles of the human attacker.

​

 Itʼs true - the machines of today cannot yet apply non-linear thinking to an incomplete picture to develop a reasonable hypothesis. Human analytical capacity via the “Human Firewall” is still the most effective weapon in a companyʼs security arsenal.

 

 The breached companies all shared one common weakness: They were hard and crunchy on the outside - but “soft and chewy” on the inside. They were reliant upon technical or machine controls to protect their companies against human attackers.

 

 Somewhere in the data breach equation, the human firewall failed. Invariably there were end-users who clicked the link, downloaded the malware, fell for the tactics of the social engineer, or inserted the infected USB drive. Some events, initiated by malicious insiders, were even ignored or simply overlooked by trusting co-workers.

 

 The fact is, every company is either waiting for a breach to happen, or is in the middle of a breach they know nothing about. The aware leader knows that itʼs a matter of “when” the breach will occur, not “if” it will occur.

 

The question many companies need an answer to is: “How do we create a culture of security awareness that activates the human firewall of our end-users so they remember that they are the critical component to our security programʼs success?

 

The answer lies in the understanding of risk, vulnerability and threats by the senior leadership. Security culture is not just built from the top down. Like our children who do NOT do what we tell them but instead DO what they SEE us do, end-users follow the security culture demonstrated by their senior leaders.

​

Rock solid security culture is built from within your organization by the participants who are aware, who care and who share the best practices that you model. 

 

 Lets talk about how to build a coaching culture inside your organization to help anchor your initiatives and make them "sticky"!

​

 

​