This content is part of the Essential Guide: An IT security strategy guide for CIOs
Manage Learn to apply best practices and optimize your operations.

Fight threats to information security: Inform your people

High-profile cyberextortions like the Sony Pictures Entertainment hack in 2014, the one last year on infidelity dating site Ashley Madison and even a lesser-known hack on InvestBank in the United Arab Emirates must have spooked a lot of people.

According to a study released in January by Cloud Security Alliance and security software vendor Skyhigh Networks, 25% of organizations said they’d be willing to pay a ransom to hackers to stop the release of sensitive information, and 14% would pay more than $1 million.

“To me that is disheartening, and it does tell us that both we’re not doing a good enough job in the industry protecting information,” said Jim Reavis, co-founder and CEO of Cloud Security Alliance, “and also that our use of technology is so vast that there are so many threats out there.”

And they keep happening. The Boston Globe reported just this week that the town of Medfield, Mass., paid a ransom after “ransomware” — a virus that locks a computer or device and demands the user pay a cash sum — shut down its computer network for about a week.

I wrote last week about the “culture of security” at Equinix, a Silicon Valley provider of data center space. CIO Brian Lillie described it as a companywide awareness about threats to information security – achieved through relationship building and support from top execs down — combined with an array of technological tools and a CISO to make sure all departments check out.

Now is the time for more companies to take Equinix’s lead. Traditional security practices like doing backups and tools such as intrusion detection software and antimalware are all compulsory to maintaining a strong security posture, but the fact that organizations are willing to give in to hackers’ cash demands — and in practice do — is testament that more is needed.

The human element in information security often gets short shrift. For example, many still believe that training programs don’t work and aren’t worth spending time and money on. But the best security defenses in the world won’t be successful if even one employee doesn’t know a phishing email when he sees one. And today, it’s easy for business departments to order a cloud service or download an app to a corporate smartphone. People who don’t know what’s kosher and what isn’t are practically courting disaster.

Everyone — from chief executives to business departments to the newest of hires — needs to be keenly aware of the threats out there, how to prevent them and how to counter them if they do occur. The more an organization can instill its people with a security mind-set, the more it can bolster its defenses against an increasingly bold and innovative underground.