Organisations will often preach the virtues of stopping a cyber hack from occurring. But in today’s day and age, many argue that successful cyber attacks are inevitable. How can institutions reduce the blast radius when this happens?
I asked a colleague once if he would be willing to speak to our IT department at a lunch and learn event. He was a security professional that was hired to hack companies. He readily agreed and promptly showed up with one of the most memorable presentations I’ve seen.
The presentation was simply titled, “How I Will Phish You.” It wasn’t a question of if he would be successful. It was simply understood he would be. He wouldn’t get everyone, but he would get some – and that was all that mattered.
What was remarkable about his presentation was that it wasn’t a story of how he used super-computer hacking skills to tackle exotic computer programming issues. Rather, it was a story of how people over the last 15 years have become so desensitised to putting personal information online for free that it was simply the easiest way to attack companies.
His job gets easier each and every year simply because the hardest part of securing our personal and work lives depends on the weakest security facet we face: people. We’ve been playing to lose.
Online over-sharing can offer a window into an organisation
Since the mainstreaming of computers in the workplace, I can’t think of a single time when someone’s online behaviour impacted a company’s security posture as much as it does today. It’s a tough landscape to navigate. You can warn your colleagues, but at the end of the day, there’s only so much reasonable reach you can have with company policy.
It’s easy to think this is just a matter of personal responsibility, but I think people give themselves too much credit for independent thinking and action in the face of aggressive marketing efforts to solicit personal/confidential information from them.
There’s no barometer for what to share. No intuition. Billions are spent each year building algorithms designed to attract this exact kind of oversharing. Each social media platform for work and life wants to know where I am, where I’ve been, my relationship status, my work status, where I’ve eaten, what I like, who I vote for, and on and on.
We’re rewarded with faster connections online and platforms that cater ever more carefully to what we desire. The most insidious part is that it’s become so automatic that we don’t even stop to ask, ‘Is this really a good idea?'”
The best advice I can offer is this. Limit your organisation’s blast radius. Limiting blast radius is something we don’t talk as much about, but it’s probably one of the most important architectural efforts you can make. It starts simply with the question, ‘If the worst happens, how can I minimise the impact?’
Here are a few things that can be done to limit the blast radius of the potential damage your employees can cause, whether it’s phishing, ransomware, or simple carelessness:
1. Enable multi-factor authentication on everything.
2. Remove unnecessary admin rights.
3. Design your networks to limit access to only what’s needed.
4. Plan for the worst and practice your plan. Tabletop exercises can reveal gaps that are easy to fix before the real thing gets you.
Rob Chapman is Director of Security Architecture at Cybera.
The views and opinions expressed in this Viewpoint article are solely those of the author(s) and do not reflect the views and opinions of Fintech Bulletin.