Before the dawn of the internet, the corporate world did safeguard documents containing sensitive business-related information, but the systems and processes in place were…well, a little different 30 years ago.
Folders containing business-critical information were kept in file cabinets with steel locks. Only business managers with keys to those cabinets could access those documents, which were found in rooms with locked doors. Then there were the security desks set up at the entrance of the building which provided another layer of security.
With a guard at the gate, and locks on both the door and the cabinets, nothing could go wrong, right? But what if it did? Who’s to blame?
Let’s say the guard clears the way for a person to access the building who has a badge that doesn’t belong to them.
Now comes the hard part; accessing those folders. Not only would they need to get into whatever room the cabinets are located in, but they’d also need that key – this time, they’re in luck! The business manager happened to leave the door unlocked, and a stack of those important folders on their desk. One thing leads to another, and the business has been compromised.
If I were to tell you that the security guard at the front desk is to blame for this entire debacle, would you agree? Sure, they were the initial layer of security that the miscreant bypassed, but chances are they don’t know where this sensitive information is located, what it contains, or who’s in charge of it.
Does this scene ring a bell? The way we store and access sensitive information has changed drastically over the years, as well as the security surrounding it, but there are still broken processes in place that make organization’s vulnerable. This is a sign that it’s time to get back to the basics by making the people within the organization that are close to those crown jewels a part of the security process.
As an industry, we’ve gotten enamored with the idea of raising a big wall and focusing on building a fortress to stop the bad guys on the outside. However, we’ve come full-circle and have realized that cyber security and cyber risk is not something you can address with people sitting in a Security Operations Center alone.
As security professionals, we have to get back to focusing on what we’re protecting in the organization, understanding what’s at risk, and holding those people that are asset owners accountable for participating in the process of reducing risk.
What does this mean? It means that the people that have the important information have to take an active role in guarding that information in the digital world, the same way they would in the physical world.
The thing that’s loud and clear is that we need to bring physical common sense best practices into the digital world. This means we have to engage the line of business owners to be active participants and make them aware of what their risks are. To do so, we as security professionals need to arm them with the information they need to make good decisions and hold them accountable for this culture shift. Only then will they recognize that they are accountable for reducing risk. Until that happens, the business will never be safe.
Business users have to take accountability and an active role in understanding where they have data that’s sensitive to the organization, and participate in ensuring that it’s secured properly and that the right people are accessing it correctly. Remember, it’s not the guy at the front desk that can tell if the right people are accessing those employee records in the physical world.
Next week I’m headed to Miami for the big FS-ISAC Summit. There I’ll be presenting on a topic that involves internal information sharing and what I like to refer to as an inside out approach to security – a strategy I believe can allow any organization to take a proactive stance on protecting their assets at risk. If you happen to be at the event, be sure to stop by the presentation, or visit the Bay Dynamics booth to learn more about how we can automate this process for you.