Samford University Chief Information Security Officer (CISO) John Bandy discussed the pitfalls of information security during his keynote presentation to Argyle’s CISO membership at the 2018 Information Security Leadership Forum in Atlanta on April 5. In his presentation, “Your Identity in Security – How to Be Effective,” Bandy shared digital identity management tips and best practices.
Security is a top priority for businesses around the globe. Yet companies often struggle to limit the impact of malware, phishing emails and other cyberattacks. If a business cannot resolve cyberattacks quickly, it risks data loss that may impact its brand reputation and revenue. Perhaps worst of all, a single cyberattack may temporarily shut down a company’s operations – something that could cause long-lasting problems for this business, its customers and its employees.
Always Be On Watch
Ultimately, information security professionals should approach security in the same way they would approach a neighborhood watch. If information security professionals encourage all employees across a business to identify cyber threats and respond accordingly, these professionals could help a company minimize the impact of cyberattacks.
“A neighborhood watch assists law enforcement, and it is the eyes and ears for [law enforcement],” Bandy stated. “We can’t do everything as information security professionals. And if we think we can, we’re fooling everybody … and we need the front line to tell us about [problems].”
Security often is problematic both at work and at home. As such, information security professionals can share best practices to help end users secure their sensitive data at all times. A comprehensive security strategy empowers a business to provide its end users with the tools and resources they need to protect a company’s sensitive data. Additionally, this strategy can be designed to provide valuable security tips that end users can apply both at work and at home.
“I don’t want users to have one mentality when they are at home and one mentality when they come to work,” Bandy indicated. “I want [our users] to be thinking about security all the time.”
Understand the Risks
There is no shortage of opportunities available to cybercriminals, either. Hackers can launch attacks on mobile devices, across social networks and on other platforms. Fortunately, end users who know how to prepare for different types of cyberattacks may be better equipped than others to identify these attacks before they escalate.
“Whether it’s on mobile or desktop, [the web] is a minefield,” Bandy said. “I don’t blame users when they get malware … because when you’re surfing the web, you don’t always know what’s going to download onto your machine.”
End users must be able to identify the differences between suspicious and legitimate emails. Yet cybercriminals frequently use advanced attack techniques that can make it tough for end users to do just that. Thus, companies must keep pace with the cyber threat landscape and teach end users about evolving cyberattacks. Phishing emails are among the most prevalent cyberattacks, and end users who understand what to look for in a phishing email may be able to avoid malicious downloads.
“Anybody can be fooled by phishing,” Bandy pointed out. “You can make phishing exercises so tricky that anyone can be fooled.”
End users should download apps from legitimate sources, too. By doing so, they can reduce the risk of downloading apps that contain malware, viruses and malicious files.
“Teach your users why it is important to get a legitimate app from a legitimate place,” Bandy recommended.
Know Your Users
Information security professionals are responsible for learning about a company and its end users. With an informed approach to security, information security professionals can tailor a company’s security strategy to end users. As a result, these information security professionals can work with end users across a business to manage cyber threats.
It often helps to implement a company-wide password policy for end users. This policy may require end users to create passwords that include a combination of letters, numbers and special characters.
Furthermore, a business may benefit if its end users are required to use two-factor authentication before they can log into their accounts. Two-factor authentication requires end users to take an extra step before they can access their accounts, and it may make it difficult for cybercriminals to gain unauthorized access to these accounts.
Information security professionals may want to provide password vault software to end users as well. This software ensures end users can set up different passwords for their accounts and securely store all of their passwords in a single location.
“We’ve got so many passwords, and every system needs them. And we need to do something to help our users out [with passwords],” Bandy indicated.
Visit Argyle Executive Forum's CYBERSECURITY LEADERSHIP FORUM - San Francisco in San Francisco, CA on Mar 19, 2020
How to Build an Insider Threat Program