Categories
Business Cyber Security Cyber Security Month

Creating a Cyber Security Culture

Culture eats structure for breakfast.

Peter Drucker

Culture is one of the most important aspects to the success for every business. Whether that is a business of 1 or 1,000,000. Without a culture of reducing cyber risk, there is nothing a business can do.

No matter how many policies, strategies, tool are put in place, a business that doesn’t honor those strategies it is destined to fail. Well, it has a high likely hood of being hacked.

So what is culture? Culture is to a group as mindset is to an individual. Culture is the personality of the organization. There are organizations that is more focused on making money than providing a great product and there are the opposite. There are companies that are focused on staying busy, or looking busy, and there are companies that want the best for their employees. There are dysfunctional companies and companies what would rather you be solely dedicated to the company and not to yourself.

If you ever wonder what the culture of a company is like, checkout glassdoor.com, pick a company read some of the employee’s reviews. It may shock you.

Why is culture so important? If the culture of an organization does not call for being risk aware, the discussion of risk will never be a topic.

The failure of Bear Stearns and the failure of Enron can be directly linked to its culture. Both companies were more focused on making image and making money that good decisions and investments went out the window.

Now on the other hand, Berkshire Hathaway, has a culture of only investing in what they know and understand. Not taking risks in industries that they do not understand. Making Warren Buffet one of the richest people in the world.

Building a culture that promotes cybersecurity and welcomes cybersecurity principles will lower the risk of being a target of hacking. And it all starts with communicating.

“Culture does not change because we desire to change it. Culture changes when the organization is transformed – the culture reflects the realities of people working together everyday.”

Frances Hesselbein

Changing the realities of an organization starts with communicating the vision of what is possible. It is in the possibility of something that has people buy in to the idea and vision. Change for change sake does not create change. Human nature will have us return to what we know if there isn’t a compelling reason to do something different.

The dynamics of the group holds the key. The more people that believe in the vision and want to be apart of a bigger cause will create a gravitational pull that can change an entire organization.

The 14th laws in Robert Greene’s book “The Laws of Human Nature”, Robert Greene talks about group dynamics and how it is ingrained into our nature. As humans we are social creatures and what many of us fear the most if being ousted by the group we belong.

Where we work is very much a group that we belong and we do not want to views as an outsider or someone that does not conform. This is what culture creates in an organization.

It is up to the leadership of any organization to set the culture. It is in the leadership and building a following around a possibility that establishes a culture of security.

To make this change, create a vision, share that vision, and keep sharing the vision until you start to build a following. This will start to shift the culture of the organization.

Categories
Business Cyber Security Cyber Security Month Risk Security

Basics of a Structured Cybersecurity Program

For more information, see the National Institutes for Standards and Technology publication 7621 

Creating a Cybersecurity program for a small business is straight forward. There are five functions that every security program must address.

The first step in any good cybersecurity program is to identify and assess the assets that impose a risk to the organization. Such as computer systems, people, data, facilities, etc.)

In the process of identifying these assets, understanding the importance these assets have to the objectives of the organization is critical. This information will be used to define the organization’s risk strategy.

Once the assets have been identified and classified by their importance to the organization’s objective, the development and implementation of safeguards are needed to ensure critical services are delivered. Protecting

After protecting the critical systems, data, and assets, the next step is to develop and implement the appropriate policies, procedures, and systems to detect events that could impact the critical systems and processes.

Once risk events are detected, how are those events responded to? Creating and following the proper policies and procedures to handle events is needed and communicated to all parties.

When a risk event is detected and it has been appropriately responded to, the recovery process is then started. The function of recovery is to make sure the critical system is functioning normally and improvements to the environment are evaluated.

This process is a very rudimentary process when creating a cybersecurity program. There are many steps and processes between each step and function. The NIST publications are very good at describing in more detail the different steps.

I recommend reviewing and familiarizing yourself with these documents before implementing a structured cybersecurity program. These frameworks are great guidelines.

Categories
Business Cyber Security Cyber Security Month Parents Security

How Email Works

It is not secure

Email has become one of the most prevalent ways we communicate electronically. Hundreds of billion of emails sent every day. And every one of them should not secure. Someone other than the intended recipient could read that email. This is why important information is never sent via email.

Why?

It is because email was never designed with security in mind. Many of the email providers out there, like Google’s Gmail and Microsoft’s Outlook, implement security measures to protect your email but it is not fool proof.

The issues comes down to that fact emails are not encrypted by default. Extra technologies have to be implemented to ensure emails secure.

Email is similar to our postoffice system.

  1. A letter is dropped off at the post office.
  2. That post office then sorts the letter by region. If the letter can handled by that postoffice, the letter will stay there and delivered the next day. If not at that post office, then it is moved to a regional sorting site.
  3. There, the letter is sorted by region again.
  4. If letter’s destination is within that regional sorting area it will then be moved to the closest post office to be sorted by neighborhood and then delivered.
  5. If not it will be set to the regional sorting location that handles the destination address.
  6. The letter is is received at the regional sorting site. Sorted by local postoffice and then delivered.

Our email system works in a very similar way with a few big differences.

The first one, and it is a big one, is an email does not contain a envelope. An email is more like a post card than a letter. Anyone that touches that postcard can read the contents.

The second one is that there is not one governing body that handles the delivery process. when an email is sent, you have no control who will touch that email before it lands in your email box. It would be like our postal system randomly handing over your letter to just anyone that said they could get it to you.

Scenario:
Let’s say you need to send some tax information to your CPA. You login to your gmail account and you send the email to, lets say, YourCPA@TheBestCPA.com.

When you hit send, Gmail packages that email, up and looks at the domain name of where you are sending it (TheBestCPA.com) and find the IP address (83.183.115.106) of the email server.

Gmail then sends that email to that IP address and the server then holds that email until it is picked up by the recipient.

Here are the Issues:
Fist, like i said earlier, an email is more like a post card than a letter. It is in plain text with no encryption by default.

Issue 1: If the connection, in this case between gmail and TheBestCPA.com, is not secure, any body that is looking at the connection between those two companies could read that email. The internet service provider, the government, or any bad guy.

Issue 2: Since we do not know where the TheBestCPA.com is located nor do we know who administers the email server. We do not know how protected that email server actually is. We do not know if the email stored on the server are encrypted or not. If the email server gets hacked all the emails could be readable.

Solution:
The solution is not to stop using email. Email is a reliable mechanism for sending information. It is not reliable for sending secure information. The only way to send secure information is to use encryption and not all email systems support encrypted emails.

If anyone, doctors, CPA, Banks, anyone, request that you send personal information like Social Security Numbers, or bank account numbers, or things like drivers license photos, or passport photos. Request a secure location where you can upload them. Do not send via email.