As of January 1, 2020, California’s new Consumer Privacy Act goes into effect, and with it a series of new requirements about how your company protects information. Those protection requirements include, among other things, something called “reasonable security” when handling that information. Fail to provide that reasonable security, and you could find your company hit with significant fines.
You need to make a data driven decision that having a human firewall is a really good idea.
What’s reasonable security, and how do you achieve it? The California Attorney General lists compliance with the Center for Internet Security list of 20 controls and resources as recommendations as being reasonable security. What’s notable about the CIS list is that there’s no specific technology solution. Instead, the means of complying with the CIS Controls is primarily a management process.
“The danger is thinking that there’s going to be a silver bullet, but it never arrives,” said Stu Sjouwerman, CEO of KnowBe4, a security training company. “As a community in IT, you need to make a data driven decision that having a human firewall is a really good idea.”
The idea of a human firewall is that a company that’s properly managed will have employees that won’t fall for the social engineering that precedes most data breaches. This means that your employees must be instilled with what Sjouwerman calls a “security culture.” With a proper security culture, your employees will know not to open phishing emails, they’ll know not to send out the company phone book or the CEO’s contact information. They’ll also know when to report suspected intrusion attempts to the CISO staff.
Getting a security into your company isn’t necessarily the easiest thing in the world, because it requires that your employees not take the easy way out when it comes to protecting your organization. It means they must choose long complex passwords, they must not let people follow them into secure areas and they must not answer questions over the phone unless their role in the organization is that they communicate with the public.
“You’re better off hiring the right people and training them,” Sjouwerman said. “You’re hiring for a security culture. They have a security awareness level so that they can be trained.”
To accomplish this, you need to have buy-in from your board so that you can have the board’s backing when you institute security controls and limit your hiring to people who understand why security is important, even if they have to be trained.
Getting your employees motivated to be part of the security culture will take some effort. “You’ll need an internal sales and marketing campaign, but everyone needs to be sold on the fact that security is important.” Sjouwerman said.
Sjouwerman noted that having data breaches covered in the media on a near daily basis helps drive home the need to prevent them. “A boatload of those data breaches are caused by human error,” he said.
The Management Approach
But if you look at the 20 CIS Controls, you’ll see that they are management tasks, not technological solutions. A few of the tasks can use technology to implement part of the solution, but in most of the cases there is no hardware or software solution available.
For example, the requirement for malware protection can use anti-malware software or devices, but the requirement for controlled access based on need to know is purely a management task. Likewise, the task to implement a security awareness and training program requires management desire and the appropriate funding.
No doubt you’re aware of the many companies selling products that they claim will solve all of your security problems if only you put them to work in your organization. The problem with these products is that they’re not totally effective. Even the best of the appliances or software packages will let miss some threats, if only because the attackers are very good at finding ways to get past those products you bought.
This doesn’t mean that you shouldn’t buy these products, because you should. Even though they may miss 5 to 10 percent of the bad stuff that’s trying to breach your network, That’s still a lot less than you’d have otherwise.
But for your security to be effective, your employees helped by your management approach, need to discover and block the rest.
To make all of this work, your employees need to see that their management encourages their security awareness. This could mean a bonus for finding and reporting a threat. It could mean the backing of management for reporting a poor security practice in the workplace. It could even mean praise for finding a new and better security practice.
What’s key is that your employees are willingly and even enthusiastically part of the security solution. This should not appear to them to be a burden or to require unreasonable difficulties. The bottom line is that they should want to be part of the security solution.