Communicate Tech Changes with the IT Department
CEO Mike Saylor of Blackswan Cybersecurity shared clips Monday from the British sitcom The IT Crowd to highlight society’s view of IT professionals and the importance of communicating with that team. In his session, titled “Cybersecurity is Not Just an IT Problem,” Saylor stressed that the IT department should be kept in the loop about new technologies.
In talking specifically about the Internet of Things devices a company might use, whether for its HVAC system or automatic fish feeder, Saylor said, “Very rarely does the person who bought that to plug it in and make their job better think, ‘What risks did I just introduce? I just put that on our network. I should go talk to the IT guys.’”
All of these IoT technologies are collecting data, and many of them invite vulnerabilities into a business’s network. If the IT department doesn’t know about a new technology, they can’t manage and maintain it, patch it or configure it.
“We only call IT when things are broken and rarely look at them as forward-thinking,” Saylor said.
Not only do teams need to communicate with the IT department, they need processes in place for companywide communication to ensure companywide security. These processes and policies should come from the top down and, while they should start with training, Saylor shared a case study in his presentation that proved training alone isn’t enough.
Why Training Alone Does Not Prevent Effective Social Engineering
An East Coast-based healthcare organization had myriad security controls in place when a two-person crew compromised its physical facility and network. The company had IT controls such as network firewalls, vendor management and secured server rooms, as well as facilities controls that included badge access and monitoring, security guards, cameras, and guest escort requirements. It even required its employees to undergo regular security training.
Yet, in just days, 15,000 hard-copy patient records and 30,000 digital employee and patient records were stolen from the organization.
Video clips recorded by the perpetrators show how they were able to engineer a situation in which one individual was given a master key and a key fob to the building. Although safety measures were in place, processes weren’t followed in the face of the criminals’ lies and manipulation.