Personal SecOps: Powering the Human Firewall
Inside the walls of your business, managers, secretaries, and salespeople alike are all protected by your organization’s digital defenses. But outside the organization, those same defenses may not follow them and their devices to the coffee shop, hotel, or home office where they are doing their work.
Cybersecurity is not all about ones and zeros. It is also about building a culture and thought process that users of all types take with them whether they are traveling overseas for a sales meeting or sitting at home.
The end goal of strong cybersecurity training is to create the human firewall, turning employees into active security defenses for the enterprise as they surf the Web and make decisions about sharing data. Through an effective security awareness program, these employees will have the necessary knowledge to navigate a constantly changing landscape of compliance regulations and security threats.
Personal SecOps: Powering the Human Firewall
The actions that the human firewall takes can be thought of as Personal SecOps. Similar to how the goal of the DevSecOps movement is to infuse security throughout the DevOps approach many organizations are taking to improve their agility, Personal SecOps leverages a security-conscious mindset to reduce risk without sacrificing productivity. By practicing effective Personal SecOps, security gets extended across every sphere of risk the employee touches, from the handling of sensitive data to identifying phishing emails.
At MediaPRO, we consider risk across eight vectors: cloud computing, phishing awareness, malware identification, incident reporting, remote working, identifying personal information, acceptable use of social media, and physical security.
Strong Personal SecOps requires understanding the nature of the risks you face. Each of the risk vectors mentioned above has its own challenges. Perhaps the most critical among them is understanding what data is considered sensitive and ensuring it is properly handled. This is not just a challenge for individuals. Even organizations sometimes fail to control access to sensitive information, particularly as they deal with shadow IT and ever-expanding volumes of data. Failing to identify sensitive documents or material can lead to it being leaked accidentally, or just as bad, destroyed when compliance regulations mandate it be kept on hand.
Our 2018 State of Privacy and Security Awareness Report, which surveyed more than 1,000 employees in the U.S., revealed that when asked how best to dispose of different types of sensitive information, many employees chose the riskier of the two options given. In one case, 59% chose to throw a password hint left in public view in the trash rather than destroy it in a shredder. However, most participants did correctly choose to dispose of unneeded documents with employee Social Security numbers and driver’s license information in a secure shredder.
Our 2018 State of Privacy and Security Awareness Report also uncovered that some 21% would connect to a free, public Wi-Fi in a café to complete work-related tasks. In a separate scenario, 84% said connecting to their company’s VPN is a security measure that should be taken when using public Wi-Fi. Extrapolating from those figures, that leaves a not-so-insignificant number of people who would be using an unsecure Internet connection to handle company business, leaving them open to man-in-the-middle attacks and data theft.
Make Security a Business Enabler
As the numbers show, Personal SecOps is not just about recognizing attempts at social engineering. The level of caution that users show when they receive a suspicious email needs to also drive them to make sure their desktops, laptops, and smartphones are up to date with the latest patches. It needs to follow them when they are deciding whether to reuse the same password across multiple sites, or whether they use a VPN when working remotely.
By practicing Personal SecOps, users can maintain productivity and reduce corporate risk. Done right, Personal SecOps is a business enabler and provides a layer of security around people and data that allows employees to do their jobs safely and effectively. With smart policies and a commitment to continuous education, your employees can develop and encourage the behaviors that will decrease the likelihood of a data breach disrupting your business.