Data Perceptions Inc. - Produits, offres, nouvelles

Articles

The Human Firewall in a Hyper-Connected World by Scott Murphy (May 2017)

il y a un mois

The Human Firewall in a Hyper-Connected World

The human firewall is the first and last line of defense for an enterprise, and investments should be made in security awareness training across the enterprise.

In the security landscape, there are few easier opportunities for hackers to compromise an enterprise than by targeting the human beings that make up the workforce. People in an organization (employees, contractors, senior executives, and board members) are almost always the weakest link in the security ecosystem. They have been taught since they were toddlers to be helpful, curious, and, as adults, customer focused. Hackers take advantage of these ingrained traits using a wide variety of social engineering techniques to exploit access to an organizations' resources and assets.

In the aftermath of the WannaCry crypto-locker worm that infected hundreds of thousands of computers in more than 150 countries earlier this month, information security advisors worldwide are preaching that enterprises need better firewalls, enhanced governance, faster patching, and more security staff. Most of these security tactics are needed to compensate for the shortcomings of the human firewall in the organization. Most compromises cannot be completed without a human security failure. The "human firewall" is essentially security awareness spanning the organization, including physical and digital security, and is an enterprise's first and last line of defense.

How do we keep an entire workforce aware of their role in the security of the organization? Traditional security awareness includes signing off on a computer use policy, once a year videos, lunch and learns, and standard employee contracts. These cannot compete against the ingenuity of today's hacker using social engineering, phishing attacks, spear-phishing attacks, business email spoofing, malware, trojans, USB thumb drive drops, and their future inventions. All it takes is one employee to click on a hacker's link and enterprise security is compromised. In a global survey conducted by consulting firm PwC, only 73% of organizations have senior executives that are actively communicating security awareness to their employees. This means that there are still significant opportunities for social engineering hacks, even if existing security awareness communications are effective.

This highlights the need for workforce security awareness training that is effective in implementing the human firewall. It is impossible for a business to get this perfect, but you can improve employee effectiveness in combating social engineering hacking techniques. The security awareness training needs to educate the workforce so that they understand not only what they should and should not be doing but also why. They need to understand the significance of security risks.

The ongoing challenge with any training is how do you get the workforce to:

1. Complete the training, as it takes time away from doing their job
2. Utilize there training effectively and at appropriate times, by making the right choices when put into different situations
3. Make the training pervasive in the organization, being delivered in a method that appeals to everyone

Two recent trends in security awareness training that can be used either individually or in tandem are:

Gamification, which awards points and various forms of recognition to people who do the right thing during the training modulesSocial Engineering Indicators (SEI), which uses simulated social engineering breach attacks such as spear-phishing and phishing emails to train people how to identify hacking attempts

These training tools significantly improve retention and understanding of the material, particularly with respect to security awareness. Both training techniques are ongoing and not one-time events. The goal is to get the workforce thinking conscientiously in a hyper-connected world with mostly friendly, but some malevolent people.

To complement improved training techniques, technology and improved practices can make things easier for the human firewall:
• Email gateways with sophisticated malware, virus, phishing and spear-phishing detection
• Next-generation Layer-7 firewalls that can detect social engineering attacks
• Practicing good network security "hygiene" by limiting permissions for network shares to only those roles that require access
• Processes that require two-person approval of payment requests with appropriate due diligence based on the payment size
• Systems and tools for device/asset management that can deal with lost or stolen devices containing corporate data
• Human-friendly policies and incident management that allow for mistakes and reporting incidents
• Monitoring and measuring effectiveness of security awareness and rewarding people who do well

The human firewall is the first and last line of defense for an enterprise, and with that in mind, appropriate investments and sponsorship should be made for security awareness training across the enterprise. Neglecting the human firewall could result in a security breach that would negatively impact intellectual property assets, revenue streams, corporate image or brand, resulting in the catastrophic failure of the organization.

By Scott Murphy
email: scott.murphy@dataperceptions.com | twitter: @ScottMurphyDPlinkedin: https://ca.linkedin.com/in/scottmurphy | web: www.dataperceptions.com

First Published May 31st, 2017   no jitter - "SCTC Perspective" http://www.nojitter.com/post/240172684/the-human-firewall-in-a-hyperconnected-world

Scott Murphy has two decades of information technology experience and expertise in project leadership, risk management, strategic planning, directing technology deployments, managing complete project life cycles and enhancing operations through change management and process improvement.  He is the VP of Business Development at Data Perceptions Inc. and is an active member of the SCTC (Society of Communications Technology Consultants Association International) – www.sctcconsultants.org

 

Disruptive Technology and Innovation Affects Everyone By Scott Murphy and Eric Sundin

2014-08-12

Disruptive technology and innovation affects everyone; personal lifestyle, business, and the global economy. “According to the Innosight study of almost a century’s worth of market data, corporations in the S&P 500 in 1958 lasted in the index for 61 years, on average. By 1980, the average tenure had shrunk to about 25 years. Today, it stands at just 18 years based on seven year rolling averages.”* The rate of change in business marketplaces has accelerated drastically in the last 50 years driven primarily by technological change. In order to keep pace and for business to survive, strategic planning is more important now than it ever has been.

What is clear is that innovation is not accidental, it is a key part of business’ strategy. “Ultimately, the challenge faced by all companies is to grow at or above the pace of their industry without losing control of their operations. The Innosight study shows that very few companies achieve this goal.”** If they are going to grow faster than their competition, they must do something substantially different, much the way a start-up functions. They must look at their industry and look for opportunities to take strategic risks and innovate their products or services faster than their competition. This requires the c-level to view innovation within the business as strategic and important to the long term success of the business. They must support innovation with both strategic support and financial support.

“So the relationship between strategy and innovation is vital, and the important role that innovation plays in transforming the concepts of strategy into realities in the marketplace tells us that none of these companies could have succeeded without innovation.”***

The reality is that strategic innovation is no longer an option if a company is going to be successful and is becoming vital.

Scott Murphy, BMath, CMC and Eric Sundin, P.Eng are senior project strategists at Data Perceptions Inc. (www.dataperceptions.com)

Data Perceptions is a leader in Technology and Operations (Tech & Ops) consulting services, delivering strategic and operational enhancements through the use of: technology, innovative methodologies, and a skilled talent community.

*Innosight – Executive Briefing Winter 2012
**Innosight – Executive Briefing Winter 2012
***Why Innovate: The Link Between Strategy and Innovation, By: Langdon Morris