Lessons from Anthem: Make Every Employee Part of the Cyber Security Team

Integrate prevention into your corporate culture.

learn more about Eric Basu

By Eric Basu

Opinions expressed by Entrepreneur contributors are their own.

By now, many of us in the cyber security world are combing through a litany of materials to analyze the causes, motives and methods of the Anthem data security breach that turned the health insurance conglomerate upside down and affected more than 80 million people.

Related: A Lack of Communication on Cyber Security Will Cost Your Business Big

There's a great deal of talk as to how such an instance could have occurred. Understandably, pundits are pointing to the fact that the consumer information in Anthem's database was not encrypted. Yet while data encryption is a key component of any comprehensive security plan, encryption wasn't the biggest issue in the Anthem case. In fact, it's only one tool in a chief information security officer's (CISO) arsenal to prevent such threats.

Incorporating defensive security measures

The more crucial defensive security measure, I believe, occurred in the way Anthem detected the breach, and in what that means for how organizations should leverage all resources to combat cyber threats: At Anthem, a nonsecurity employee made the discovery when he noticed that his database credentials were being used to run a query he had not originated. In retrospect, it's unclear how much longer the infiltration would have gone unnoticed had it not been for him.

Here's the point to take home. The average time for an organization to detect a breach is 209 days, but maintaining a work environment where everyone is conscious of security could significantly reduce that time and the overall losses. The National Security Agency (NSA) headquarters is a good example of a well-thought-out overall security posture (the Edward Snowden issue notwithstanding).

You can't walk more than 20 feet into the NSA's headquarters without a random worker stopping to ask where your badge is if one isn't visible. Seventy years ago, the famous World War II posters exclaiming "Loose Lips Sink Ships" were meant to enforce the idea that everyone must be concerned about operational security. That's still true today: The key is to create a corporate culture of detecting anomalies that might become real threats and to involve every employee, not just the IT department.

In other words, incorporate cyber security sensitivity into your overall corporate culture. Organizations such as the NSA, banks, etc. have, out of necessity, incorporated a sense of physical security into their corporate cultures, and today more organizations are feeling an increasing and pressing need to incorporate cyber security sensitivity into their cultures as well.

Related: 10 Questions to Ask When Creating a Cyber Security Plan for Your Business

Putting it more bluntly: Organizations are usually hacked from the inadvertent, nonmalicious, but nonetheless unsafe activities of its employees.

Four cyber-security scenarios to watch out for:

1. Employees showing their public Facebook accounts which disclose their complete name and date of birth could provide a cyber predator the tools to potentially obtain a social security number among other essential information to successfully infiltrate your company's business and personal accounts.

2. "Shadow wi-fi accounts" that show up in public places, such as a conference hall or hotel, prey on mobile devices set to connect to the nearest open network. Such seemingly reputable access points convince business travelers to unintentionally expose company information residing on their iPhone, iPad or laptop.

3. Passwords are tough to remember, so people write them down on a notebook or unencrypted file on their computer or phone. This common mistake opens their accounts to an attacker who needs to do just a minimal amount of work.

4. An employee who receives an email from a stranger or sees an ad on a legitimate website clicks on a link and instantly permeates malware throughout the company's network. This isn't a malicious act: The teammate just didn't realize how harmful that one click could be.

Four ways to incorporate cyber security into your company culture:

1. Emphasize to your entire staff safe computer practices that go well beyond lists of inappropriate websites to surf during office hours.

2. Give the same care and concern to cyber-security activities for employees as you give to safety measures surrounding use of the office building after hours.

3. Train all employees on good cyber "hygiene" (i.e., how not to click on links in emails; how not to keep passwords in an open digital or physical medium, etc.).

4. Limit the administrative reach available to regular users. This requires a not-insignificant amount of employee process modification and change management, but is key for a company to manage its cyber risk.

These moves don't mean that organizations should ignore their network architecture, security patch programs, disaster recovery policies and threat-management system deployment.

These elements remain crucial. However, implementing security measures only through the IT department and failing to address the overall need for cyber security sensitivity as a core component of the company's corporate culture is like locking the doors in your house but leaving the windows open to let the outside air in.

Related: CEOs Can No Longer Sit Idly by on Cyber Security

Eric Basu

CEO of Sentek Global

Eric Basu is the CEO of Sentek Global, a provider of government and commercial cybersecurity and information technology solutions. 

Related Topics

Editor's Pick

Everyone Wants to Get Close to Their Favorite Artist. Here's the Technology Making It a Reality — But Better.
The Highest-Paid, Highest-Profile People in Every Field Know This Communication Strategy
After Early Rejection From Publishers, This Author Self-Published Her Book and Sold More Than 500,000 Copies. Here's How She Did It.
Having Trouble Speaking Up in Meetings? Try This Strategy.
He Names Brands for Amazon, Meta and Forever 21, and Says This Is the Big Blank Space in the Naming Game
Business News

These Are the Most and Least Affordable Places to Retire in The U.S.

The Northeast and West Coast are the least affordable, while areas in the Mountain State region tend to be ideal for retirees on a budget.

Travel

6 Secret Tools for Flying First Class (Without Paying Full Price)

It's time to reimagine upgrading. Here's how to fly first class on every flight, business or personal.

Business News

I Live on a Cruise Ship for Half of the Year. Look Inside My 336-Square-Foot Cabin with Wraparound Balcony.

I live on a cruise ship with my husband, who works on it, for six months out of the year. Life at "home" can be tight. Here's what it's really like living on a cruise ship.

Thought Leaders

The Collapse of Credit Suisse: A Cautionary Tale of Resistance to Hybrid Work

This cautionary tale serves as a reminder for business leaders to adapt to the changing world of work and prioritize their workforce's needs and preferences.

Growing a Business

5 Tips That Can Help You Seize Every Opportunity Your Next Industry Conference Has to Offer

Discover five ways to make the most out of the marketing, networking and personal and professional development opportunities a professional conference affords you.

Starting a Business

A Founder Who Bootstrapped Her Jewelry Business with Just $1,000 Now Sees 7-Figure Revenue Because She Knew Something About Her Customers Nobody Else Did

Meg Strachan, founder and CEO of lab-grown jewelry company Dorsey, personally packed and shipped every order until she hit $1 million in sales.