Cybersecurity is about relationships (and more)
Takeaways from the interview with Mike McMullens
In the podcast today, one of the biggest takeaways I got was that cybersecurity is about relationships. Mike and I were discussing the need to educate employees on risk factors and threats that they will face as threat actors attempt to gain access to the organization. One of the things he said that blew my mind was that relationships are a huge part of preparing your organization.
Department heads and leaders do not like being told what to do and they don’t like being intruded upon. When the head of Cybersecurity or IT or physical security decides to come in and implement a new policy, training program, or process, the department heads may feel intruded upon or invaded. If you are in charge of the data security of your organization, you may be uncomfortable with being super outgoing as is the stereotype of an IT person. You must be willing to develop a relationship with those directors and get them on board with your initiative. If you don’t, they won’t take you seriously, and in turn, their staff won’t take you seriously. When that happens, your entire initiative will be ineffective.
Another major point that stood out to me was 2-factor authentication as a regular process. Any time someone receives an email requesting sensitive information or personally identifiable information (PII), they MUST communicate with the sender using another medium of communication. If you get an email, verify with a text, a phone call, or in person.
Lastly, Mike mentioned something that I had never thought about. Crazy right? Many IT professionals have never thought about the impact that Social Media has on their Cyber Security. Even if your network blocks phishing emails and malicious websites, a user may easily expose the organization through phishing messages on social media or on their personal device. Are they storing sensitive data on personal devices? A user may also post information that gives the threat actors the information they need to execute a well-planned attack. Maybe they shared information about a company you are partnering with. Maybe they shared information about the structure of the organization and who is who in the structure. That is all information that will help them to better socially engineer their target into believing the phone call, email, text, or other message is real and legitimate.
If you would like to hear more, you will just have to listen to it. Thanks for reading!
Author: Daniel Seguin