Every business should be able to answer "Yes" to these 3 security questions

LinkedIn instructor Dr. Gregory Michaelidis has spent nearly two decades working at the intersection of national and homeland security, communications, and public policy. In 2017, he created the Security Awareness Lab in 2017 with two goals in mind: to help groups and individuals assess and understand their likely security risks and vulnerabilities, and to use the art and science of communications to equip people with practical knowledge to be more safe, secure, and resilient. From 2009 until 2016, Michaelidis served as a key Obama administration communicator on security, public safety, and community preparedness issues.

I've asked Gregory to offer his perspective on emerging security threats, potential pitfalls of end-user security training, and the most important security policy changes coming this year.

Q: You’ve been writing about and consulting in the area of homeland- and cybersecurity for more than a decade. What are some of the biggest pitfalls of end-user security training?

Gregory Michaelidis: I’d point to two kinds of mistakes organizations make when with regard to their employees. The first is taking a top-down, “command and control” approach to security. That means keeping all discussion of security within IT departments and then, essentially, “delivering” security to end users without their input.

A second, related pitfall is treating end-users as the “enemy.” Too often, managers and executives offer employees insecure devices, poor guidance or training, and little context for the value of the information they handle. When inevitable security lapses happen, the users are blamed for the very failures for which they were set up by company leaders.

Instead, the users are blamed for security lapses. By that I mean instead of making users part of the solution - through incentives or rewards for helping improve the organization’s information security - management instead offers poor guidance as to how to manage the company’s information.

Q: Let’s talk about smaller organizations. What advice can you offer to small businesses without large security teams?

GM: I think getting the “human factors” right, and really looking to build a culture of security is important for small organizations. As I noted in Chapter 5 of my course on LinkedIn Learning, the Small Business Agency has a number of tools to help. And following the most basic best practices will go a long way toward making your business a harder target:

• Use Two-Factor Authentication
• Use a strong passphrase
• Continual patching
• Application whitelisting of “good” apps
• Limit user privileges
• Limit Remote Access by Third-Parties
• Limit Public-Facing IP Addresses

Finally, if your business fits within one of the sixteen sectors that make up our critical infrastructure - like energy, water, transportation - there is a lot of help available from both the National Institute for Standards and Technology, or NIST, and the Department of Homeland Security, or DHS.

Q: What are some ways that an organization can provide security awareness training that is empowering and engaging rather than dry, irrelevant, or belittling?

GM: In my view, the goal should be to build and actual culture of information security within an organization. There are more options today for in-person or live online security training that's a big improvement over the old “slide-deck-followed-by-a-quiz” approach. 

Another great, free tool is Security Planner. Here, users answer questions about their devices and digital habits and receive advice tailored to them. It can be great for organizations to share this, and there are no privacy concerns since no personal information needs to be shared.

Q: What are the top three security questions that every business should be able to address?

GM: Here are my three. If the answer to any is “no” that points to a problem.

1. Does our top information security person have access to the company CEO and/or board of directors?
2. Is our IT leadership working with our communications and employee relations teams to ensure security protocols and updates are getting through to people in a clear, timely way?
3. Do employees tend to roll their eyes at the mention of information security? 

Q: What emerging security risks most concern you?

GM: The rush toward putting connected devices everywhere - on our wrists, in our homes, even in our toys - is happening too quickly and with too little concern for security and privacy. We saw that just this month with a report on how troops wearing fitness trackers were inadvertently giving away the location of sensitive military facilities. 

Q: Looking ahead to the remainder of 2018, what security policy changes will have the greatest impact on organizations?

GM: I would say that as the European Union’s General Data Protection Rule, or GDPR, comes in to force this year, any businesses with customers or data in EU countries will need to adhere to much stricter privacy laws than they’ve been used to.

Additionally, I’m keeping an eye on how big social media companies, especially Facebook, Twitter, and Snapchat, address the serious issue of manipulation of their platforms by groups posting false propaganda, hate speech, and personal attacks. While the companies have taken some steps to address these longstanding problems, its opened a wider debate about whether they’re merely neutral mediators, media companies, or something else altogether. 

Feedback? Plus a free course!

If you'd like to weigh in on these questions, please add your contributions to the comments section. And for more from Greg, check out his first course, IT Security: Key Policies and Resources, on LinkedIn Learning. It's free through February 15th.