Posted by: Linda Tucci
CIO, CISO, phishing, Security, security policy
During World War II, when it was discovered that U.S. soldiers were being targeted by the enemy through unconventional means — alcohol, prostitutes — to give up critical information, the military launched an all-out security campaign. “Loose lips sink ships” was one of the campaign’s slogans. There were scores of other materials advising the troops to keep mum, including a document handed to every soldier entering the battle area that listed 10 things never to write home about. The idea, said Jeff Schmidt, was to make soldiers aware of the gravity of the threat and remind them that they — the rank and file — were critical partners in American security.
“We have a lot to learn there,” said Schmidt, founder and CEO at security consulting firm JAS Global Advisors LLC. “Employees need to be trained to feel like they have a stake in maintaining the security of their organizations. They can’t act like they are protected by what can seem like a gigantic security apparatus.”
Schmidt was talking to me about what security experts saw in 2011 that was new or different, and about the threats most likely to plague CIOs this year. He works with a lot of government agencies and Fortune 100 companies in risk-prone industries like defense and energy. While intentional insider threats are “as old as the hills,” in his view it’s the unintentional security threats — those regular old phishing attacks coupled with human error — that pose the clear and present danger. Attacks like the single email attachment, for example, that was crafted to trick the HR department at RSA — a security firm! — and that in a flash compromised millions of the world’s most trusted identification tokens.
His message to CIOs: Educate, educate, educate employees, and make them part of the security team — or ships will sink.
Of course, there’s a problem there with that team mentality, as anyone knows who is witness to, say, the current state of politics or to the economic pain heaped on many Americans in recent years or — and here we’re going out on a limb — who has embraced social networking heart and soul. For employees threatened by layoffs, what motive is there to pitch in to prevent the ship from sinking if their part of the ship has already sunk? (In fact, companies have seen insider theft rise, said Schmidt, even among longtime, trusted employees. “Desperation is a powerful driver,” he notes.) Then there is the generation reared on free digital file-sharing, free encyclopedias and the habit of sharing — with everybody. How can CIOs drive home the notion that company data is precious when information has been so devalued and a company’s insiders feel like outsiders?