Cybersecurity is a broad and complex concept. It involves wide-ranging and growing risks that impact all businesses. Similarly, the list of measures that must be taken to mitigate, or at least reduce, these risks is growing in size and complexity.
Like any other unwieldy topic, practitioners have broken the broad concept of cyber protections down into pillars – splitting this large esoteric collection of protections into manageable chunks. The most common model surrounding cybersecurity is a triad: people, process, and technology. These three components together represent the broad range of protections necessary for a successful cybersecurity program.
The two most accessible of these concepts are technology and people. Technology protections are represented by firewalls, anti-malware protections, and laptop locking cables used to protect our data and systems. These technical protections can be tangible or intangible but generally are things that are purchased and installed.
People protections are a bit more abstract. Training and awareness are common protections and can meaningfully drive down cyber risk by reducing negative behavior (do not click on phishing emails) and encouraging positive behavior (do report suspicious activity).
The last of the cybersecurity pillars is process. This component represents the need for sound processes that users are trained on and empowered to follow. Inconsistent and arbitrary business workflows and . processes are ripe for mistakes and abuse.
According to the FBI, the use of email to perpetrate wire fraud (AKA business email compromise) has been the number one cybercrime three years running. Business email compromise is where the attacker, posing as a known partner, engages an employee via email. With this fraudulent persona, the criminal requests a change to routing information to steal future payments. Criminals have used this simple technique to misdirect billions of dollars in invoicing and payroll.
Business email compromise preys upon weak business processes. The following example shows how failure to follow process can easily lead to payroll theft.
A large healthcare organization on the west coast was the target of a phishing attack. The attacker created a fake email address in the name of the CFO. Pretending to be that CFO, the attacker sent an email into HR asking to change the bank routing information associated with his direct deposit. The HR clerk received the email and, even though the request had not come through the official form, sent it along to her manager for processing.
Luckily, the CFO worked down the hall from HR. Having doubts about the email, the HR manager stood up and walked down the hall to speak to the CFO about the request. The CFO was clearly unaware of the request and the attempted fraud was squashed.
The company had a sound process for changing personal banking information by means of an online form. The HR clerk, however, accepted the payroll change request via email. Only by walking down the hall and speaking to the purported requestor, was the HR manager able to unravel the fraudulent request. Had this fraud been successful, it clearly would have been a failure to properly execute upon company processes.
Arbitrary, outdated, or unsupported processes will hinder any cybersecurity program. On the other hand, sound processes can reduce cyber risk across the organization. These processes should be thoughtfully designed and implemented for maximum effect. It is easier to get adoption if the processes don’t require additional effort.
Make the processes efficient. All cybersecurity professionals know of cases where a protective control was so cumbersome that it was ignored by staff.
Engage auditors to review and assess key processes. Audits are often an unappreciated component of the cybersecurity program.
Train the workforce on these processes and hold employees accountable for execution.
Empower the workforce to follow these rules. Consider the example above. If these processes directly impact an executive, whether fraudulent or legitimate, will they be followed?
Be sure that processes are regularly reviewed to account for changes to the business. Clearly the rapid shift to work from home in response to the COVID-19 pandemic would warrant a review of processes.
The cybersecurity pillars of people, process, and technology will not function if any of the three are ignored. Organizations must recognize the value of processes as an equal, important part of the cyber triad.
Originally posted at Star Bridge Advisors - https://www.starbridgeadvisors.com/