Imagine the following: A mid-level HR employee receives an unsolicited resume. The company’s policy is to forward all unsolicited and suspicious emails to a designated mailbox maintained by the IT group for further inspection before opening any attachments or clicking any links. The employee without thinking opens the attachment. This seemingly minor mistake allowed a cyber-criminal to gain a foothold in the company’s network from which he could pursue countless malicious acts damaging the company and its customers, and resulting in millions of dollars of liability.
As the above example demonstrates, cybersecurity has become a critical issue for all companies, both large and small. Resources are increasingly being spent on bettering corporate cybersecurity practices. Whether companies focus on conducting risk assessments, implementing novel technologies, adopting new policies and procedures, or other options, there has been a clear shift towards a greater recognition of the importance of cybersecurity. While these are certainly important steps to take, they do not address one of the greatest vulnerabilities an organization faces: its employees.1 Until companies begin to alter their corporate culture in dealing with cybersecurity, it will always remain a weak link in their technical cybersecurity defenses. How can a company implement a cybersecurity-conscious culture? Through broken windows cyber-policing.
Size of the Problem
To understand the solution, it is important to properly understand the scope and scale of the problem. In 2015, the CEO of Lloyds estimated that the global cost of cyber-attacks on the corporate world would approach $400 billion.2 Juniper Research estimates that by 2019, that number will exceed $2.1 trillion.3 The rapid and unyielding explosion of the cost of cyber-attacks have forced companies, at all levels of governance, to place a renewed emphasis on hardening their cyber defenses. This new focus has manifested itself in several ways, including: increasing the role of the chief information security officer (CISO) in a company, spending upwards of $170 billion per year on cybersecurity by 2019,4 and making cybersecurity a board level priority.
The time and resources devoted to cybersecurity are critically important to mitigating corporate cyber risk, but the above steps do little to address the underlying, persistent liability of employee carelessness. For example, a state of the art alarm system does little good if a homeowner does not activate it. While cyber-criminals continue to innovate and create new threats daily, some estimates claim that 390,000 new malicious programs are created a day,5 the cyber-criminal’s greatest tool is still social engineering. Social engineering is defined as “an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.”6 Essentially the core of social engineering is that a cyber-criminal uses a company’s own employees to let them in the proverbial front door, rather than forcing the cyber-criminal to combat the technical cybersecurity measures that a company puts into place. The power of this attack vector is that it bypasses a company’s technical cybersecurity defenses, rendering moot all of the resources discussed above.
Broken Windows Policing
No matter how well a company develops its technical cybersecurity defenses, if employee culture is not addressed, there will always be a weak link that cyber-criminals can exploit to devastating effect. How can a company develop an employee culture that respects cybersecurity? The answer may be to take a page from New York history and implement a broken windows cyber policy. Broken windows refers to the famous New York zero-tolerance policing policy. The underlying reasoning for the policy is that by targeting minor crimes (such as vandalism) law enforcement will effectively address larger crimes. The essence of the policy is that it is easier to catch ubiquitous, visible, minor crimes than it is to catch sophisticated, large scale crime, and that there is a substantial overlap between perpetrators of both crimes. Additionally, broken windows policing, by having a zero-tolerance for smaller crimes, instills a respect, appreciation, and knowledge of the law in all citizens. In the cyber context, the case for broken windows policing may be even stronger, as minor cyber-attacks are the foundation on which nearly all large scale, headline grabbing, cyber-attacks are built upon. Famously, in the article that spawned broken windows policing, George L. Kelling and James Q. Wilson concluded that “untended behavior […] leads to the breakdown of community controls.”7
The very same can be said for cybersecurity: Untended behavior inevitably results in the breakdown of a company’s cybersecurity controls. Moreover, if a company implements a zero-tolerance policy for infractions of the cybersecurity policies and procedures, a clear and unambiguous message will be sent to all employees: Cyber risk created by employee carelessness will not be tolerated. By enforcing the rules against minor transgressions, through a zero-tolerance policy, a company can help create a cybersecurity-first corporate culture.
What does a broken windows cybersecurity policy look like in the corporate setting? There are three key elements: (1) employee education, (2) devoting sufficient resources to detecting minor infractions that are likely to be rooted in employee misconduct, and (3) a zero-tolerance policy on enforcing an appropriate response to identified infractions.
Any effective cybersecurity policy must begin by training employees about how to protect themselves and the company when using computers or other connected devices. Training should be done regularly, and should inform employees not only of their obligations, but also of the consequences of not following the rules.
Next, we turn to the allocation of resources. Companies must reevaluate how they focus their resources in defending themselves from cyber-attacks. While cybersecurity tools are critically important to defending an organization, if resources are scarce (as they are in nearly all circumstances), companies must ensure that sufficient resources are dedicated to ensuring detection of employee errors. Regular penetration tests8 are a great resource to test the likelihood that employees might fall prey to common attack vectors. Understanding which employees are habitual clickers can be more valuable than any single cybersecurity resource. These tests should be done at regular intervals, and while it is important to test a company’s entire cybersecurity posture, special attention should be paid to testing employee adherence to promulgated procedures.
Finally, we turn to how to effectively enforce a broken windows cyber policy. First and foremost, a policy must be centered on a zero-tolerance approach to cyber infractions. The nature of cyber-attacks progressing through a company’s network means that employees are the first line of defense in defending against all types of cyber-attacks, both large scale and limited in scope. For this reason, companies do not have the luxury of accommodating employees that do not follow the rules that they were taught. While it may force a company to make difficult decisions when they implement a broken windows policy, by addressing one of the greatest sources of cyber risk, the cost is well worth the benefit.
The human element can be a company’s greatest asset, but in the cyber context it can be one of its greatest liabilities. A strong and clear message from a company’s leadership that even small infractions will be found and dealt with swiftly, will go a long way to minimize cyber risk and severely limit a cyber-criminal’s most favored vector of attack.
1. While the focus of this article centers on developing a cybersecurity conscious culture for employees of a company. The same can and should be done for third-party vendors, and anyone other groups that may have access to the company’s systems or networks.
8. A penetration test is “the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.” http://searchsoftwarequality.techtarget.com/definition/penetration-testing.