Teaching the Security Mindset to Your Organization

We’ve all heard the old adage “the best defense is a good offense.” When it comes to cybersecurity that is certainly true. Defensive measures such as antivirus and antimalware, web content filtering, and spam blocking are all reactive strategies. They rely on previously identified definitions and patterns to block known threats. But hacking is a business and just as your business must adapt to changes in the market place to become successful, so too must the business of hacking. Those businesses are seeking to get around any known security walls by any means that they can and are doing so in increasingly creative ways. So how do you defend yourself?

The first thing to do is to reset your understanding of hackers in general. In many places in the world, Hacking is a high paying job that attracts some of the best and brightest minds out there. So get rid of the notion of the kid sitting in his mom’s basement trying to guess your password in between sips of Jolt Cola. The hackers that are targeting your organization likely work with organized crime syndicates or perhaps with foreign governments. They are generally well-paid for what they do, and may also take a certain amount of pride in being able to break into and subsequently steal information from your organization.

Hackers are also human beings. They may be backstopped by impressive technology, but at the end of the day they are flesh and bone just like you. So what does that mean for you, and how can you use it to your advantage?

A hacker will likely take the easiest route to success. Most hackers are working in a volume business. They need to steal whatever they can and then attempt to sell it to the highest bidder. They don’t necessarily care what information it is, just that it might have value to someone else. If you think about hacking as a business this makes sense. There are only so many hours in the day. Your typical hacker will be looking to maximize his working hours by accessing and stealing the most readily-available information. A hacker has his or her Cost of Customer Acquisition just like any other business. And that hacker wants to keep that cost (in terms of time) as low as possible.

Your job is to make the cost of the hacker acquiring you prohibitively high. The higher your cost to acquire – the higher the likelihood that the hacker targeting your business will simply move on to riper target.

There are many ways to make your company unappealing to hackers, but the easiest by far is for your entire company to adopt a security mindset. What is a security mindset?

Always think about the worst possible outcome.

Everyone in your company should be thinking about the worst possible outcome for every decision they make with respect to cybersecurity. You should train on it. This may seem somewhat doom and gloom, but by adopting this mindset your firm can protect itself without spending much money, if any. By teaching employees to ask themselves such questions every time a security issue presents itself, your company as a whole will become more alert and secure. Try a couple of these examples at your next training:

I’m leaving my hotel room. There’s my laptop on the desk. What’s the worst possible outcome?

Chances are the worst possible outcome here is that the hotel room gets robbed and the laptop is stolen. Depending on the information that was contained on that laptop, your company may be facing a breach scenario.

Secure Decision: Instead of leaving it out in plain view – use the room safe or the hotel safe. If it’s prudent, maybe just take the laptop with you.

I’m working in a coffee shop and not using the VPN. What’s the worst possible outcome?

The worst possible outcome here is that someone else is sitting on that public network watching all traffic flows and intercepts anything upon which you are working. Again, you have the breach scenario on your hands.

Secure Decision: While it may take a few seconds more, connecting to the VPN will remove this risk.

Someone representing to be the help desk just called me and claimed there was a virus on my computer and they needed remote access to fix it. What’s the worst possible outcome?

The worst possible outcome here is that the “help desk” is actually a malicious actor who is really more interested in installing a virus or malware. If you allow this to happen, you are facing breach. (Sensing a theme here?)

Secure Decision: In this case, your safest bet is to hang up and call your help desk. If, in fact, it was them, they’ll be happy to help you. If not, you will have stopped breach in its tracks.

I clicked on a link that did something funny, but my computer seems to be working fine. So I didn’t report it. What’s the worst possible outcome?

Your computer has just been infected with malware that is currently working through your entire network, enabling backdoors that will allow for a hacker to exfiltrate client data, employee data, or other sensitive information.

Secure Decision: Even if nothing appears outwardly wrong, if something you did gave you pause, call the help desk or your IT consultant and report it. They’ll be able to help.

In Closing

These are just a few scenarios that you can use to help everyone in your company adopt a security mindset. Remember, too, that executives and senior managers must help in this process as well. Partners or other decision makers at the firm often have access to the company’s most sensitive information and should be thinking from a security standpoint at all times. By taking the time to identify the worst possible cybersecurity outcome in a given situation, most of us will take the few extra seconds to make a more secure decision. It doesn’t cost anything, and can make a hacker look elsewhere for an easier target.