Like the sheriff in a frontier town, Robert Renzulli could not be everywhere at once, and he could not take on the outlaws by himself. So the onetime chief information security officer (CISO) for the Port of San Diego empowered his employees to fight beside him.
He recalled that effort at the start of October, which is National Cybersecurity Awareness Month.
The modern-day bandits? Those were bad actors lurking in the computer networks (including the two Iranian nationals who locked up the port’s computer system and demanded a ransom in 2018).
To face the bad guys, Renzulli made his fellow port employees into cyber deputies.
Renzulli not only gave his employees badges (at least the metaphorical kind), but he encouraged and empowered them to take care of his organization’s networks. For those who felt they were least qualified to fight, Renzulli asserted that yes indeed, they had something to offer. In fact, they were the front lines of cyber defense.
Part of the Culture
In the third decade of the 21st century, cybersecurity has to be a part of an organization’s culture. No one can do it alone.
“The technical folks can only do so much,” said Chase Franzen, another local cybersecurity professional. Cybersecurity requires everyone’s eyes and ears, said Franzen, the CISO for Sharp HealthCare.
Verizon’s 2022 Data Breaches Investigations Report notes that human error is responsible for 82% of data breaches, said Lisa Easterly, a third San Diego cybersecurity professional.
“This is actually good news for businesses,” said Easterly, president and CEO of the Cyber Center of Excellence. “Creating an organization-wide culture of cybersecurity awareness through employee training and cyber hygiene is both cost effective and dramatically reduces the risk of a breach.”
Franzen has similar thoughts.
“We often say the people are the weakest link in cyber,” he said. “They can also be our strongest link.”
Green, Yellow, Red
There are ways to build such a culture of good cybersecurity hygiene, said Renzulli, who now runs his own business, CyberGeist Security LLC.
He says IT leaders should reinforce their cybersecurity messages often. In large organizations, the marketing or public relations teams can get involved in such efforts.
One approach is to send messages labeled in what he called “traffic light protocol.” A green message will be purely informational. A yellow message will be a notice that there may be trouble, such phishing attempts (an attempt to have a recipient click on a bad link that will send malware into a recipient’s computer system). A red message will indicate there has been a breach, perhaps at a competing company or close by in the supply chain. The red message might include details of how the adversary got into the organization.
A CISO’s job is much like a parent’s, keeping the lines of communication with their children open and warning of possible dangers. Of course, to be effective, the CISO has to stop short of nagging.
Renzulli also advocates recognizing wins or successes, and not penalizing employees for going to IT for help.
Both Renzulli and Franzen recommend employees trust their instincts.
Handling email requires a healthy amount of skepticism. Is that person really who he says he is?
“Most people want to be helpful,” Renzulli said. “That’s how social engineers get in.”
Challenging the person who sent a suspicious email can be done in a professional and non-confrontational manner, Renzulli said. “It’s OK to say, who do you work for again? What project? Who do you report to?”
Is something feels wrong about a situation, a person is probably wise to consult their IT team, the experts said.
Building a Better Password
During October, the nonprofit National Cybersecurity Alliance and the federal government’ s Cybersecurity and Infrastructure Security Agency remind the public of certain key cybersecurity practices. One of them is using strong passwords. The alliance also recommends using a password manager program, which can store multiple complex passwords.
When it comes to passwords, complexity may not be the best policy.
Following a formula that a password should contain upper case and lower case letters, as well as numerals and symbols — can create passwords that are “incredibly difficult for people to remember,” Franzen said. “Our brains can only hold so much.”
Both Renzulli and Franzen suggest pass-phrases rather than passwords. Try five to six random words, Franzen said. People working on computer systems that lack the ability to put a space in passwords can use special characters instead of spaces, Renzulli said.
Do not use the same password for different accounts, the experts said. Hackers build dictionaries of passwords in use.