All departments should help own digital risk management
Many organizations still adopt a fortress mentality when it comes to protecting their networks and data. There remains a common belief that the major threats come only from outside. Unfortunately, many threats, such as human error, stem from within, and if hackers do manage to get past the digital fortress walls from outside, they’re often able to move around the network unhindered.
This false sense of security often applies to digital risk management, in which the IT or information security departments are traditionally responsible for cybersecurity. However, attackers invariably look for the path of least resistance; the entry points that no one seems to be monitoring.
Marketing departments, for example, despite being on the frontlines of brand reputation, often present an easy way into an organization’s confidential assets thanks in part to their usage of unsecured channels like social media. In fact, according to our recent survey, only 1 percent of marketing departments share the responsibility of managing digital risk.
The Biggest Attack Surface Is the Human One
To the layman, cybersecurity conjures up highly technical connotations, hence the common belief that it’s something for only the IT or InfoSec departments to worry about. However, very few attacks are carried out exclusively through technical means.
The human attack surface is far greater simply because it’s much easier to exploit. Instead of attempting to exploit vulnerabilities in technology, attackers now launch social engineering scams against unsuspecting victims to find a way around conventional technological and administrative defenses.
In today’s workplace, employees have embraced social media platforms and digital collaboration tools and embedded them into their everyday work life. Social media has become a business essential, and because of this departments company-wide are primed to fall victim to social engineering attacks and scams.
The human attack surface encompasses every system, process, and employee across a company, but particularly those who engage with unsecured cloud applications. All departments need to cross the aisle and partner with the IT and InfoSec departments. By forging closer ties with senior security executives and the even the CISO, they can position themselves as enablers of innovation without adding risk.
In an age of rapid change, where easy information-sharing and customer engagement are business imperatives, it's crucial that everyone understands the risk landscape.
Written Guidance Is Not Enough
Third-party platforms like social media, instant messaging apps and collaboration networks have become critical business enablers. However, without adequate protections, they greatly expand the attack surface and increase the liability of the company. In an effort to mitigate these risks, IT and InfoSec departments often provide written guidance documenting the correct usage of these channels.
A recent survey found that 83 percent of companies have existing policies governing the use of third-party platforms. Most of these policies discuss the potential risks of using these platforms in a business context as well as laying down some ground rules. Shockingly, only a third of policies include verbal guidance such as in-person training. Fewer still incorporate a process for requesting a new app to be added to the approved list, and 20 percent of policies completely rule out the use of personal devices for business matters.
Regardless of what a company’s security and privacy policies cover, they're only effective if everyone follows them. All departments must make it a priority to educate employees beyond basic written guidance.
Moreover, policies need to be frequently reviewed and updated to adapt to ever-changing business conditions and technologies. Without the means to enforce policies concerning third-party platforms and educate employees on the purpose of their existence, they’re all but worthless.
If information security is entirely placed within the confines of IT, there’s inevitably going to be a conflict of interest. In such cases, security leaders will be more inclined to say no to deploying third-party technologies, but this is a reactive approach to a flawed environment.
Departments throughout the company must understand their role in exposing the company to digital risks and demonstrate a commitment to security. Working together with security and IT teams, employees can get the full benefits of social media and collaboration apps without fear that it’ll lead to a security incident in their company.