As we in IT security scramble to put more and better controls in place to combat a changing array of cyber threats, we as an industry are facing an interesting dilemma: How do we assess the usefulness and value of all the controls we have deployed over the years and continue to have in place?
After all, as I talk to people across the cyber security industry, I almost never encounter anyone who can tell me a story about having turned off a security control once they turned it on. Yet, with the changing threat landscape, we clearly need to be adding new security technologies and processes to our already substantial arsenal. (more…)
Data-hacking hound dogs beware. EMC recently got a little help from Elvis in battling cyber criminals.
The “King” was at the center of an integrated marketing campaign our Global Security Operations ran this spring to encourage IT users to avoid clicking on suspicious email links that could lead to phishing attacks on our company’s data.
The several-week advertising effort featured a videotaped parody of the Elvis Presley song “Suspicious Minds,” in which ITers acted out why users shouldn’t click on “Suspicious Links,” It also featured a security awareness contest.
The campaign resulted in more than double the number of users reporting phishing attempts via suspicious emails. It also substantially increased the number of users going to our security awareness site, which we call FirstLine in recognition of the fact that the actions of IT users are the first line of defense against cyber-attacks.
In the world of cyber security, we have reached the point where we feel the need to codify security behavior by telling people what to do and what not to do. But sometimes I wonder if security policy should rely on a much simpler approach—the notion that people already have a sense of right and wrong and should be encouraged to use their best judgment.
Certainly, security policies are complex. There are many of them and they are scattered around all over the place. But so is the law. And when was the last time you had to pick up a law book to know what’s right or wrong? In most societies, the law stems from basic commandments. Most of us have those principles drilled into us from when we are young. So we might not know specific laws, but we have a sense of right and wrong.
When I grew up in Glasgow, Scotland, my mother would use a phrase that would drive me insane. When she’d tell me I couldn’t do something I wanted to do and I’d ask why, she would say “that’s not the done thing.” I’d always wonder what this “done thing” was. The done thing was, of course, what was normal for society to do.
It seems like we sometimes forget that people have a sense of right and wrong when it comes to behavior in the workplace. One well-known exception is retail giant Nordstrom which, up until several years ago, used a 3 by 5-inch card as its “employee handbook.” It listed “Rule #1: Use your best judgment in all situations. There will be no other rules.” There was another paragraph inviting employees to ask their managers questions at any time. (Nordstrom still urges employees to use their best judgment but does now hand out a more detailed handbook with rules and legal requirements.)
If you’re like me, you think about cyber security all day, every day. You may even dream about it. It’s why I’m an IT security professional (and probably not the most interesting guy you’ll ever meet).
But since most people have other things on their minds most of the time, it takes a special effort to get them to focus on the importance of IT security. That’s where National Cyber Security Awareness Month—which occurs every October—comes in.
While setting aside a month to promote cyber security may not seem like the most hard-hitting tool to tighten security for your organization, it actually is a great opportunity to do just that. That’s because more than ever cyber security is all about peoples’ behavior and raising awareness is one of the best ways to have an impact on that.
What we have come to realize in IT security is that policy, compliance and governance alone won’t achieve cyber security for your organization unless people take those policies and rules and use them to make the right security decisions. The reality is that whether it’s people in their homes or in the workplace, we depend on individual behaviors to safeguard IT security—or anything else for that matter. If you don’t lock your door, people can walk straight into your house. If you leave your car unlocked, there’s a greater chance it —or something in it— will get stolen.
IT Proven allows you to leverage Dell IT’s first-hand knowledge and best practices to accelerate your own IT transformation journeys, transforming operations and delivering IT as a Service through the power of cloud computing. IT Proven highlights how Dell IT transformed into an agile, innovative, and competitive service provider.
New, advanced technologies continue to provide a faster, more agile environment. But those technologies – cloud computing, mobile platforms, Big Data and social media – can widen the exposure companies face to potential security threats.
The report also examines four strategic steps enterprises can leverage to strengthen their security programs, including: How to boost risk and business skills, court middle management, tackle IT supply chain issues and build tech-savvy action plans.
You can learn more about the SBIC Trends Report 2013 by viewing the following video featuring EMC Vice President and Chief Security Officer Dave Martin. We have also discussed related topics in previous blogs on this site, which combined with Dave’s video and the new report, will offer a full picture of security innovations we’ve explored at EMC.
Threat intelligence is king. The more you have, the better positioned you are to protect your organization from cyber attacks.
But staying on top of threat intelligence to fight these sophisticated attackers requires a new, collaborative approach to security—one that most companies and organizations haven’t embraced as yet. We need to be able to continuously share information on the latest cyber attack techniques on malware and email campaigns beyond our own networks in order to defend against an onslaught of external and internal threats. We need to “talk” to each other to warn against the latest tactics.
Getting beyond “defend” mode
Most companies are still in “defend” mode, using the traditional firewalls and other perimeter-based tools to guard their networks and data. While you don’t want to get rid of those old war horses, your company does need to expand its capabilities to defend against and respond to the more sophisticated threats. By tapping into what other organizations are seeing in terms of attack techniques, tactics and procedures (TTPs), you can detect such threats much earlier and minimize damage.
I manage the Critical Incident Response Center (CIRC) at EMC, tasked with defending the company’s revenue stream and future market value from cyber threats. At EMC, we believe we have been able to achieve a uniquely high level of incident response capability using much of our own cutting-edge information security technology.
The opinions and interests expressed on Dell EMC employee blogs are the employees' own and do not necessarily represent Dell EMC's positions, strategies or views. Dell EMC makes no representation or warranties about employee blogs or the accuracy or reliability of such blogs. When you access employee blogs, even though they may contain the Dell EMC logo and content regarding Dell EMC products and services, employee blogs are independent of Dell EMC and Dell EMC does not control their content or operation. In addition, a link to a blog does not mean that EMC endorses that blog or has responsibility for its content or use.