All for One & One for All

In the cybernetic era, the employees of every organization must realize that defending the organization’s assets includes the protection of their own personal information. The executive in charge of information security awareness at Bank HaPoalim in an exclusive article

All for One & One for All

We live in a new era – the cybernetic era. Every day, organizations in Israel and around the world are forced to cope with cyber warfare attacks that grow increasingly more sophisticated and, as you can see, news reports and articles about successful attacks discovered retrospectively are becoming a matter of routine.

I would like to outline the facts of this new reality.

Fact 1: the organization’s traditional line of defense, which is based on information security systems, has become vulnerable. Organizational defensive systems in the cybernetic era do not provide 100% protection against cyber warfare attacks. In the cybernetic era, the first line of defense of any organization includes the organization’s employees, clients and suppliers, and the extent to which they are aware of the cyber warfare issue is critical to safeguarding and maintaining the organization’s assets and continued survival.

Fact 2: about 85% to 90% of all successful cyber warfare attacks against organizations begin with social engineering.

Fact 3: the daily conduct of most employees is not aware of the existing information security risks and is not suitable to the situation in the cybernetic era, as experienced by information security professionals. In other words, information security awareness, including knowledge of attempts to attack the organization using social engineering, are not a top priority for the average employee. In most organizations, employee performance is not measured or graded in connection with this issue.

Fact 4: the day-to-day experience of information security professionals is radically different from the day-to-day experience of general employees, on various levels. This gap leads to poor cooperation, to frequent conflicts and mainly to separation between the issue of information security and employee awareness. The professional considerations of the information security specialists regarding an extensive range of subjects are sometimes conceived as hindrances along the organization’s path toward the development and promotion of projects and new initiatives. This leads to antagonism and alienation between the employees, who regard information security as a barrier to organizational development, and the information security professionals who block certain initiatives owing to considerations that pertain to the need to protect the organization’s assets.

Most employees fail to understand that the line dividing the concepts “The Organization” and “The Employees” no longer exists. The over-all effort of defending the organizational assets includes the effort of protecting the information of the employees. I believe that the Sony Pictures Entertainment hack demonstrated this fact very bluntly. Just to remind the reader, during the Sony hack, the personal details and files of more than 47,000 of the Company’s employees leaked to the web.

While such issues as Phishing and social engineering are of the utmost importance to information security professionals, who often lose sleep over them, most employees are not aware of such issues and will not think twice before clicking on the malicious link, leaving their personal details in questionable websites or opening files that contain malware elements, viruses or Trojan horses of various types.

Speaking of malware, viruses, Trojan horses or any other definition of the cyber world, you should stop for a minute and ask yourselves: how many employees in your organization are even familiar with these terms? How many of them understand their significance or the potential damage they can inflict? All of the examples outlined above, as well as many others I can list, illustrate one main point – as long as no common language has been established between the employees of an organization and that organization’s information security function, organizations will remain dangerously vulnerable to cyber warfare attacks. So what do we do? How can we bridge the organizational awareness gap?

Well, there is no magic solution, but an awareness campaign conducted properly and over a long period of time can be one of the most effective solutions to this problem. To be abundantly clear, an awareness campaign, as effective as it may be, cannot guarantee 100% protection against cyber warfare attacks, but it can make a substantial contribution to minimizing the risk of a successful cyber warfare attack.

The first stage of any campaign of this type should consist of an effort to understand the existing situation. It is important to stress, naturally, that each and every organization has its own nuances, typical day-to-day conduct and the risks and weaknesses that are unique to the nature of the organization and content world in which it operates.

The second stage should involve the setting of goals and the length of the awareness campaign. Notably, the campaign should focus initially on the primary findings that arose pursuant to the preliminary effort to understand the existing situation, and constitute an opening shot that would reverberate throughout the organization. Additionally, as far as the length of the campaign is concerned, the objective should be for the campaign to run as a long-term effort rather than as a “knockout” attempt. Some of the primary questions to which answers should be provided are: should the awareness issue be regarded as one of the performance criteria by which the employees would be measured and graded? What will be regarded as a success for the campaign? How should the concept of success be measured? As of this point, the road will be wide open to running the campaign itself. There are many ways in which the campaign may be implemented and several such ways may be combined. Here are some possible activities: a Phishing campaign, organization-wide lectures, an employee procedure manual, awareness courseware and quiz, a marketing and advertising campaign that includes posters and video advertisements and so forth.

A successful organizational campaign is a campaign that fits into the corporate culture, speaks to the employees “at eye level” and blurs the line between defending the organization and defending its employees. Naturally, it must be measurable so that its effectiveness may be determined.

The concept according to which information security systems, as successful as they may be, will provide the organization with 100% protection is no longer valid. Organizations must accept and internalize the new reality, where the organization’s employees, clients and suppliers are an inseparable element of the organization’s cyber defense line, and that the awareness of the first line of defense is critical to the continued survival of the organization. 

Guy Dagan is the executive in charge of information security & cyber warfare awareness at Bank HaPoalim