NIST (The National Institute of Standards and Technology) recently released a draft guidebook called Cybersecurity is Everyone's Job. It is certainly hard to argue with the title! The guidebook was created for business owners and leaders, but it's also helpful for those serving functional roles in human resources (HR), IT, legal — and even sales and marketing.
Undeniably, employees represent the "largest attack surface" of most organizations. Common business activities — such as product and service delivery, payroll, accounts payable, communicating with customers and suppliers and resource management — frequently expose organizations to cyber risk, which is why a cybersecurity culture is so critical.
Mindset is also a key driver of human behavior — so proper attention must be paid to evaluating and addressing employees' mindsets (and no, they can't sacrifice security for convenience) as part of a broader security-awareness campaign. Also, due to the rise in attacks leveraging social engineering, organizations should seek to educate their employees about such attacks and thereby "harden" their security. Hardening the technology is (sigh) a lot easier.
The handbook's recommendations for action include:
- Understanding cybersecurity well enough to enable sound decision making;
- Including cyber risks in the enterprise risk management (ERM) process;
- Developing and maintaining organizational information security policies and standards;
- Promoting the development of effective cross-functional teams to accomplish cybersecurity goals for the organization; and
- Protecting sensitive strategic, financial, legal and risk information.
It's only 26 pages, which is not terribly intimidating – and it may be very helpful to those who do not yet have a cohesive plan for addressing cybersecurity.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology