InfoSec Is Everybody’s Business: Building a Company Culture around Cybersecurity
Cisco
Information security (InfoSec) should be a top priority for all businesses, but the job of an IT professional is more than running a network and making sure hardware and software work properly. It’s about managing people and expectations, and that means translating complex issues like InfoSec into language that every colleague can understand. Without the buy-in from people at every level, any cybersecurity efforts may be useless.
Start by thinking of InfoSec as a series of concentric circles around your data. The outermost ring is your company’s perimeter. You control who enters and exits your premises, and who can go where. In theory, only authorised personnel should be allowed entry, but what happens if an outsider walks in and tries to log into a workstation? How are you protected?
The next circle is your company’s usage policies. How do your colleagues use your equipment? How do they log into your network, databases, and applications? Do they understand and implement your InfoSec guidelines? If you don’t give them the tools to succeed, you’re increasing the likelihood of a security breach.
The easiest way to compromise your organisation is from the inside, and so attackers are always looking for vulnerable colleagues by enticing them through phishing emails and malicious links. If you foster a culture of security, however, your workers are less likely to be enticed by the latest scheme.
The innermost circle consists of the technical controls and your visibility and telemetry tools. At this level, you’re taking measures to monitor your network and to block any breaches before they happen. The mean time to identify a data breach is 206 days according to the 2019 Cost of a Data Breach report, and so it’s best to start with the premise that your IT infrastructure may have already been compromised and to build your InfoSec strategy accordingly.
This analogy of concentric circles represents the need to consider “defence in depth” as a key strategy for protecting data. No one control can be relied upon to protect everything, especially in an evolving landscape. It is no longer the case that data only exists behind the physical boundaries of your facilities. Cloud adoption has led us to consider other approaches such as micro segmentation and the “Zero Trust” paradigm.
A Blending of Corporate Cultures
M247 is celebrating 20 years in business. We started as a hosting provider in Manchester and expanded into the Romanian market in 2012, eventually opening data centres there. In 2016, we were bought out by leading hybrid ISP Metronet UK, and the following year Metronet acquired Venus Business Communications, a London-based fibre provider. In 2018, the group rebranded as M247 before making the natural progression to become a cloud services provider.
As you can imagine, these acquisitions brought together very different corporate cultures and with that some lack of clarity. Our different legacy businesses lacked a unified approach to InfoSec tools and methods. Everyone agreed that we had to take charge of our InfoSec, but there was no consensus on how to do so and our policies were unclear. That’s when our incoming CTO, Kevin Paige, stepped up.
Prior to joining M247, Kevin worked at Manx Telecom, Eircom, and Vodafone. He is also the current chair of the Institute of Telecommunications Professionals (IPT), the UK’s leading industry organisation in our field. He’s kind of a big deal, and he took the bull by the horns.
Putting the Pieces into Place
Kevin promoted me to the position of Information Systems Manager and asked me to devise a strategy that standardised our cybersecurity policies. I spent my first year on the job putting the pieces of our new InfoSec strategy into place.
First, I aligned ISO/IEC 27001 certification for M247. Through a series of compliance audits, my team and I built a holistic management framework to oversee every aspect of our InfoSec. This comprehensive approach incorporated the management of business continuity, human resources, physical documents and assets, and site security. Next, we adopted the five principles of the NIST Cybersecurity Framework: identify, protect, detect, respond, and recover. This platform-agnostic standard helped us further cement our risk assessment and InfoSec strategy.
Saying something and doing it are entirely different matters. We had our executive team behind the plan, but we still needed to onboard all our colleagues. In order to do that effectively, we wanted to bake an InfoSec mindset into our corporate culture. We had to get all of our people to understand that cybersecurity is essential to the health of the company and that they are part of the solution.
Building a Security Mindset
We started with some positive reinforcement by rewarding colleagues who reported security concerns or recommended solutions. We gave them t-shirts, published their picture in our monthly security newsletter, and gave them shout-outs during team meetings.
We also displayed posters, produced training videos and paired them with online quizzes, and authored interactive phishing simulations that helped colleagues learn how to discern questionable content.
Other companies undergo more formal cybersecurity training, but long-term success requires a different tactic. When an executive team demands that everyone read the InfoSec policies and undergo training due to an external factor such as upcoming audit, colleagues tend to rush through the material to meet the requirements—then quickly forget it. If you don’t engage your workforce and give them a reason to care about security, they may learn a policy but not truly reflect and implement it.
Our goal was to find a way to convey the importance of cybersecurity. In the end, we came up with the perfect metaphor: “It’s like locking your front door.” Everybody understands the notion of a front door lock, and nobody wants to come home to discover that their place was burgled. What’s more, this small act of locking the front door upon leaving their home is second nature for most people. Explaining InfoSec using this simple and highly visual connection helped speed up the adoption of new policies amongst our colleagues.
A Fast and Furious Rollout
When you roll out an InfoSec programme, you have to strike hard and fast. You need to ask what is going to have the biggest and fastest impact on your company’s cybersecurity. I looked at things like patch and vulnerability management, but I realised that the best use for my budget in the shortest time was identity and access management. More than 80% of breaches exploit weak or stolen passwords. Controlling logins is the most effective way to reduce security risks.
Even though the landscape across departments was radically different when I took on the InfoSec management position, we all used Cisco infrastructure. We relied on Cisco for everything from networking (Cisco Meraki and Aironet Access Points, Cisco Nexus and Catalyst switches) to security (Identity Service Engine). When I learned that Cisco had acquired Duo, a cloud-based SaaS solution, I saw an opportunity to implement a company-wide identity and access management protocol.
It was a sort of homecoming. We’d been using Duo on a limited basis for nearly a decade after a phone conversation with founder Dug Song to discuss M247’s needs and to examine new ways to expand our use cases.
Duo was the only solution that checked off all the boxes on our list. It is a robust two-factor authentication (2FA) tool that offers reliable security, needs minimal administration, and has an elegant interface. It is the ultimate user-centric, zero-trust solution.
Integrating Duo 2FA into Everything
Duo integrates with our existing tools, and we don’t even have to create colleague accounts for the service. When we add a new user to our Active Directory, Duo retrieves their data and adds the colleague to its user base. When the user logs into our intranet or an application like Office 365 for the first time, Duo sets up their credentials and walks them through the process of creating an account with 2FA on their personal mobile device.
The process is mostly hands-off for my team, even when troubleshooting. Should a user experience an issue, Duo offers interactive online help, including video tutorials and a demo portal that walks them through the resolution of most problems. The platform is big on self-remediation, and we rarely have to step in to provide end-user support. That’s a big plus—especially for a small team like ours.
Duo is easy to scale because it resides in the cloud and we didn’t have to buy any physical infrastructure. We went to their website, signed up for an account, and immediately created a pool of initial 40 users from the original M247 business group. A few weeks later, I added 300 more end users. It was all a matter of pointing and clicking.
It’s good to know that I can add an unlimited number of users in a matter of seconds, especially when you consider the size of my team. My help desk manager is constantly swamped with calls and my other staffer is an apprentice, which leaves me to do most of the configuration work. Duo simplifies that aspect of my job and frees me to focus on higher-level concerns.
Everyone’s Already Familiar with 2FA
Some people think that 2FA is a pain. That may have been true five or six years ago, but now it’s the way of the world. Most people already use 2FA when they do their online banking, among other things. Apple and Google have also integrated it into all of their products and services. It is ubiquitous, and so asking colleagues to use it during the workday isn’t a stretch.
In fact, we allow M247 staff members to use non-company smartphones to authenticate their accounts when they log into company resources. We also encourage our colleagues to use Duo 2FA for personal activities like placing orders on Amazon.
When security is as simple as responding to a push notification on your smartphone or your watch, it becomes a no-brainer. Using a simple and familiar solution means that you don’t have to hound colleagues about implementing a mandatory policy; you’re just asking them to carry on with what they’re already doing elsewhere.
Building on Basic Security
With our identity and access management program well underway, I am free to focus on protecting our international WAN. We have just completed a new core network using Cisco technology here in the UK. It will serve as a hub that will branch out to our other locations, and I am already thinking about the telemetry and visibility tools that will help us secure it.
We are already in talks with Cisco about Stealthwatch and Umbrella, but our plans are still in the formative stages. However, a cornerstone of our evolving InfoSec strategy is reselling network security services. As we implement new security products and protocols, we will also be looking at developing them as potential products we can offer our customers. We want to pass the benefits of all of our experiences on to our customers.
Bring Everything Into Alignment and Count Your Victories
Cybersecurity starts with bringing all of your people and processes into alignment. Make a business case for your InfoSec needs and, once you’ve obtained buy-in from your executive team, make everyone in your organisation a security partner. Follow that age-old rule of keeping it simple and take the time to congratulate one another when everything works. When things don’t work, step back and figure out what went wrong.
Be pragmatic. Count your victories and reflect on your successes. A few small steps can lead to tremendous rewards.