Lessons from Anthem: Make Every Employee Part of the Cyber Security Team
By now, many of us in the cyber security world are combing through a litany of materials to analyze the causes, motives and methods of the Anthem data security breach that turned the health insurance conglomerate upside down and affected more than 80 million people.
There’s a great deal of talk as to how such an instance could have occurred. Understandably, pundits are pointing to the fact that the consumer information in Anthem's database was not encrypted. Yet while data encryption is a key component of any comprehensive security plan, encryption wasn’t the biggest issue in the Anthem case. In fact, it's only one tool in a chief information security officer's (CISO) arsenal to prevent such threats.
Incorporating defensive security measures
The more crucial defensive security measure, I believe, occurred in the way Anthem detected the breach, and in what that means for how organizations should leverage all resources to combat cyber threats: At Anthem, a nonsecurity employee made the discovery when he noticed that his database credentials were being used to run a query he had not originated. In retrospect, it’s unclear how much longer the infiltration would have gone unnoticed had it not been for him.
Here’s the point to take home. The average time for an organization to detect a breach is 209 days, but maintaining a work environment where everyone is conscious of security could significantly reduce that time and the overall losses. The National Security Agency (NSA) headquarters is a good example of a well-thought-out overall security posture (the Edward Snowden issue notwithstanding).
You can't walk more than 20 feet into the NSA's headquarters without a random worker stopping to ask where your badge is if one isn't visible. Seventy years ago, the famous World War II posters exclaiming "Loose Lips Sink Ships" were meant to enforce the idea that everyone must be concerned about operational security. That's still true today: The key is to create a corporate culture of detecting anomalies that might become real threats and to involve every employee, not just the IT department.
In other words, incorporate cyber security sensitivity into your overall corporate culture. Organizations such as the NSA, banks, etc. have, out of necessity, incorporated a sense of physical security into their corporate cultures, and today more organizations are feeling an increasing and pressing need to incorporate cyber security sensitivity into their cultures as well.
Putting it more bluntly: Organizations are usually hacked from the inadvertent, nonmalicious, but nonetheless unsafe activities of its employees.
Four cyber-security scenarios to watch out for:
1. Employees showing their public Facebook accounts which disclose their complete name and date of birth could provide a cyber predator the tools to potentially obtain a social security number among other essential information to successfully infiltrate your company's business and personal accounts.
2. “Shadow wi-fi accounts” that show up in public places, such as a conference hall or hotel, prey on mobile devices set to connect to the nearest open network. Such seemingly reputable access points convince business travelers to unintentionally expose company information residing on their iPhone, iPad or laptop.
3. Passwords are tough to remember, so people write them down on a notebook or unencrypted file on their computer or phone. This common mistake opens their accounts to an attacker who needs to do just a minimal amount of work.
4. An employee who receives an email from a stranger or sees an ad on a legitimate website clicks on a link and instantly permeates malware throughout the company’s network. This isn't a malicious act: The teammate just didn't realize how harmful that one click could be.
Four ways to incorporate cyber security into your company culture:
1. Emphasize to your entire staff safe computer practices that go well beyond lists of inappropriate websites to surf during office hours.
2. Give the same care and concern to cyber-security activities for employees as you give to safety measures surrounding use of the office building after hours.
3. Train all employees on good cyber "hygiene" (i.e., how not to click on links in emails; how not to keep passwords in an open digital or physical medium, etc.).
4. Limit the administrative reach available to regular users. This requires a not-insignificant amount of employee process modification and change management, but is key for a company to manage its cyber risk.
These moves don't mean that organizations should ignore their network architecture, security patch programs, disaster recovery policies and threat-management system deployment.
These elements remain crucial. However, implementing security measures only through the IT department and failing to address the overall need for cyber security sensitivity as a core component of the company’s corporate culture is like locking the doors in your house but leaving the windows open to let the outside air in.