October may be Cybersecurity Awareness Month; however, cybersecurity is a year-round effort. It’s a constantly moving target. It’s the song that never ends. Just when you think you’ve achieved best practices, they’ve already changed.
That’s why fighting cyberattacks involves an ideological shift in security. Cybersecurity is not simply an IT problem, it’s a leadership responsibility. It’s a culture issue. Leaders, it’s up to you to develop the security culture in your own organization. By doing so, you can rest assured that you’ve equipped each user with the tools and knowledge necessary to defend themselves. Now, your employees will understand their role in protecting the organization.
So, how does one influence the security culture of their business? We hosted a webinar to answer exactly this question:
Jennifer Henderson: Hello, everyone. Thanks for joining us today for our live webinar on how to effectively influence your security culture. My name is Jennifer Henderson. I’m the marketing coordinator here at 1Path. Just to give you guys a little idea of who 1Path is, we are a national leader in technology, one of the largest managed service providers in the nation. We are headquartered in Atlanta, Georgia, and we have operations up and down the East Coast. Our job is to advise and consult our small and mid-size business clients on their technology and provide comprehensive support packages to take care of their local area networks and their highly distributed cloud operations.
Jennifer Henderson: One thing that we’re super proud of is that we employ over 700 full-time employees, 250 of them who work as part of our managed services group. We also are proud that we act as a thought leader in the IT space. We often host events just like this to kind of talk about what’s going on in the industry today and the changes that we’re seeing. So one of the things that we got a lot of questions about is how to kind of enforce or build a security culture in the workplace. To answer those questions, we have our speakers today. We have Alena Urruzmendi, who is our success guru here at 1Path, and Eric Ellenberg. So, Eric, I’ll go ahead and let you take over from here.
Eric Ellenberg: Thanks, Jennifer. So, yeah, Eric Ellenberg, who is this guy? So I’m a managing engineer at 1Path. I’ve been with the company going on six years. A managing engineer is the primary point of technical contact for our clients. That’s for technical service. If you have a technical issue with a PC and you want to call somebody for it, that’s my team. Then if you need technical solutions, that’s calling in to your managing engineer and saying, hey, I have this application upgrade coming up. I need someone to help me plan it. Or, hey, I have questions about security, and I need someone to guide me through what I need to do to make my organization more secure.
Eric Ellenberg: So that’s obviously the topic of this webinar today, and we’re so glad that you’ve joined us. We want to take you through this, starting with the current threat landscape. The current threat landscape, you have to talk about what are the things out there that could affect me. How is that always the same as it always has been when people have been online, and how is that different now when we talk about modern IT, where everyone is able to work anywhere? You have mobile devices. You can work from an airplane. You can work from a hotel room. It’s really a different world we’re dealing with.
Eric Ellenberg: So the current threat landscape is generally more focused on users and not systems. The most common way that we have attacks going against users is a thing called social engineering. So what is social engineering? Social engineering is basically a malicious actor, someone out there who wants to do bad things with your information, and trying to get your users or yourself to divulge information that is sensitive. That can be sensitive account information. That can be sensitive login information. Basically, they’re trying to get some information out of your mind so that they can use that to get some things from you or your company.
Eric Ellenberg: There’s a few different ways they can do that. We’ve all heard these terms. We’re just going to cover them real quick. Phishing is when you get an email that says, hey, this is your bank emailing you. We need you to verify some transactions. If you were to click on that email, it might even look exactly like the bank’s website, but that is not from your bank. It is from, again, that malicious actor who’s trying to get you to divulge your banking credentials.
Eric Ellenberg: There’s a term out there called vishing, which people are more familiar with the term scams, the phone scams. This is where you get a phone call. We’ve probably all gotten this one. Your car is coming due for the end of its warranty, and you need to get a new warranty for your car. You’re like, I never knew I had a warranty for my car. Well, yeah, let me give you my credit card info so I can get that warranty extended. No, no, no, no, no, bad idea. Phone-based phishing is people actually robocalling you or calling you to get information that way.
Eric Ellenberg: Then text-based phishing, on the same token, you get a text message. It claims to be from someone that you know or a company that you do business with, and it’s not actually them. I’ve personally seen these myself with text messages that claim to be from Apple needing to verify some account information. They give you a little link to tap on, and you can tap on the link if you want to, but not a good idea.
Eric Ellenberg: Then, finally, there’s impersonation. This is kind of going back to workplace and physical security. Someone walks up to your door. They look like they have a badge. If you work at a large company, this is more common. They look like they could work there, but you don’t know them, but they have the badge, so you let them in. Now that person is kind of snooping around, and they’re not going to be doing good things.
Eric Ellenberg: What do we do about social engineering? What and where are the threats? So, first of all, I want to cover a couple of terms, and these get thrown around a lot, but they’re a little bit different. It’s just important to point out the difference. So there’s a compromise, and there’s a breach. So if you have an information compromise or an IT compromise, that typically means that someone has inadvertently divulged some information to … like those phishing attacks. They’ve inadvertently given someone their banking credentials. They’ve inadvertently given someone their email credentials. That represents a compromise. They’ve compromised the company’s security by divulging something.
Eric Ellenberg: A breach is when, unbeknownst to you, you have all your security measures in place, everything’s humming right along. However, someone from the outside has breached your network security. They’re in your network. They’re looking at things on your servers. They’re looking at things in your cloud apps. They’ve breached your network. That kind of goes back into what are the differences between these two. There are generally external and internal threats. So breaches are typically something that comes from the outside. Someone is out there. Again, I’ll call them a malicious actor. They’re scanning your website. They’re scanning any IP address or anyplace on the internet that’s associated with your company. They’re trying to kind of poke holes in your network to see where they can get in. So breaches are typically coming from the outside. Compromises are typically coming from the inside. Someone is just unknowingly going somewhere, doing something that they don’t know is pulling into a malicious act, but it happens.
Eric Ellenberg: So this is the threat landscape. This is how breaches happen. There are some stats over here on the right on this slide that you can take a glance at. It’s a bunch of numbers, basically, that says information security is more important than ever. It’s easier than ever to have compromises and breaches because everything is online now. I have at home Alexa, and I can ask Alexa to turn on my living room lights, my bedroom lights. If Amazon were to have a breach or a compromise, someone else could be turning on my lights, right? Everything’s online now. There’s a different approach we have to take to keep ourselves safe.
Eric Ellenberg: So the three overarching themes in how to combat threats is our culture, our tools and our partners. I want to go in to talking about culture, because it’s not just about creating a security perimeter around your network or around securing your systems. You really have to have a security-minded and security-focused culture in your company. It doesn’t matter how big you are, if you’ve got hundreds or thousands of employees. I mean, that’s a challenge from a scale standpoint, but even if you’re a smaller business and you’ve got 5, 10, a couple dozen or maybe even just about 50 employees, you still have to have a security-minded culture in every single person.
Eric Ellenberg: So let’s go to the next slide there, Jennifer, and let’s talk about how to build a strong security culture. There are some components of building a strong security culture that we want to go over in the presentation and in the talk so that we at least have some points about creating a strong security culture and how we actually enforce or implement that security culture.
Eric Ellenberg: So modern IT security, you’ll hear me talk in this presentation about traditional methods and modern methods. Traditionally, IT security was something that your IT department was responsible for. They are putting rules in place on your network, on your servers. They’re creating security groups and permissions to limit who has access to what, where they can access it from, so on and so forth. That model worked really well when all of our data, all of our business logic was under one roof. Nowadays, our data is in four different cloud services. Our infrastructure is in the hands of those cloud services.
Eric Ellenberg: So how do we secure that? We have to secure the users. We have to protect how they access those resources and have some insight into where they’re accessing them from and how they’re getting to it. It’s a more user-centric view of security, rather than an IT department or admin-centric view of security. There’s also just best practices to protect against breaches. There are things that you can do as an organization that are going to make you less susceptible to having a breach or a compromise.
Eric Ellenberg: So the list is here, efficiency, scalability, awareness. I’m going to dive into each of these. I just want to touch on them real quick. So efficiency, managing access to your systems. This is how you are allowing or disallowing people to have access to resources. I joke nowadays that, when a kid is born, they ought to be assigned a username and password in the hospital, because it seems like that’s what we all have nowadays. It’s just everywhere. So how do we manage all these usernames and passwords? So managing access to your systems.
Eric Ellenberg: Also, we want to emphasize that security and productivity do not have to be mutually exclusive. In a traditional model, when you had a secure network, it was like, oh, boy, I need to add a new application to this security framework. It’s going to take me two months talking to my IT department to get this to happen. No, no, no, it does not have to be like that.
Eric Ellenberg: Scalability. I mentioned before that any size organization, no matter what your footprint is, how many locations you’ve got, how few locations you have, that it’s important that these security solutions scale to you and can scale up as big as you grow. So you have to have security solutions that’ll work across the board. Then it really won’t do us any good if those security solutions are not easy to adopt and adapt. If users are having a hard time getting the hang of these new user-centric tools, then they won’t use them. If it’s not enforced for them to use them and it’s not easy for them to use, then either you have a lot of complaints or you don’t have good security. Then you have to be able to adapt them. You have to change with how the threats change, because now more than ever security is not a finish line that you cross and you say now I’m done. It is an ongoing process.
Eric Ellenberg: Then awareness. We like to say that your first line of defense is always your users and hence the focus on strong security culture. If your people aren’t aware of what the security threats are, if they’re not trained or educated on what those threats look like, then they’re more likely to be susceptible to them. Then we also want to point out that having awareness is great. You can say everyone can be trained up on what these threats look like. But then if you don’t have, again, the ongoing process of training people in what security is, how it works, and here are the things to look for…you need insight into knowing how up-to-speed are my people on knowing what those threats look like and how to respond to them?
Eric Ellenberg: So we want to dive into security, so let’s talk about today’s best practices. Again, we are reemphasizing some points here because we want to change the mindset and the terminology around IT security. It starts with culture. You have to have a security-aware culture. When one of your employees gets an email … And we have seen this before. It claims to be from someone in the C level. They get the email. They say, oh, well, my executive is asking me to look up this wire transfer, and I know that they’re traveling right now, so maybe I should just go ahead and transfer that money to this account number they gave me. If they’re not aware of that being a possibility, a way that they can be scammed via email that looks to be from an executive, then they’re going to have a problem, and you’re going to have a problem. So you have to have a security-aware culture.
Eric Ellenberg: Again, that goes back to the users, so protecting users instead of assets. We obviously want to protect the data in our company. We want to protect our company’s intellectual property, and we have to protect those assets. But the best way to protect those assets is by protecting how access to those assets is given and how has access to them. So it starts with the users, and it has to be a multiple-layered approach. If you don’t have multiple layers of security to protect your users against a breach or a compromise, then you have the single point of failure problem, which is very common in IT. If this thing were to break, everything goes down. So you don’t want to have a single point of failure. You want to have multiple layers of security.
Eric Ellenberg: Then, again, touching back on this, security is an ever-evolving process, depending on where you are in your maturity as an organization, maybe you have someone that knows IT, and they’ve kept everything running. They’re really sharp. Maybe you don’t. Even if you do have a person that’s pretty sharp on it, is that their only responsibility? Is that their main responsibility, to keep up-to-speed with all the security threats and how to respond to them? Likely not. Even my own client base, I have clients with IT departments. Those clients are trying to take care of their users. They’re trying to take care of the business. Security is something that they need, but they really need someone to be focused on it for them all the time.
Eric Ellenberg: The thing we talk about is having a good partnership for who’s going to handle your security. You have to have experts, because this is not a business that does well when you don’t have someone who doesn’t know what they’re doing with how to protect your users. You have to have someone who knows what they’re I don’t. Then you have to have a partner with a road map to say how do we get from point A to point B. How do we get from a place where we feel insecure or maybe we know that we have some areas, some room for improvement, to somewhere where we feel like, hey, we’re solid? We’ve got a lot of good measures in place to keep us secure.
Eric Ellenberg: On the right over here, there’s a few different things that you can glance at. This is kind of just part of the best practices, sort of the specifics. But, again, this is the high level overview, so we want to keep marching forward so we have plenty of time for a demo and a Q&A at the end.
Eric Ellenberg: Now efficiency. If we don’t have a way to efficiently roll out all these security functions and features, then that slows the organization down. If you don’t have an efficient way to manage those different products and solutions that are giving your organization security, it’s slowing your organization down. So we want to talk about efficiency because we strongly believe that security and productivity are not mutually exclusive.
Eric Ellenberg: The question is how do you access your system. Again, the joke is you should have a username and password for that, right? But if you have one system and that’s the only system you use, then great. More often than not, we have dozens of systems that we’re using. So the traditional way of managing access to our systems no longer works. The traditional method is you had one user that had multiple logins. They’d have their email login. They had their network login. They had this cloud app, this SaaS app, this Legacy app, so on and so forth.
Eric Ellenberg: Multiple logins means multiple passwords. Multiple passwords means you have to have a password expiration policy or something that’s going to keep those passwords secure. Each of those logins is a potential compromise. Having everything under one roof in the traditional model, it was feasible. It was sometimes tricky, but it was more realistic. Nowadays, not so much.
Eric Ellenberg: So the modern approach is you have one user, you have one login, and that one login for that user gives them access to all of the same resources, but they’re managed from a single location. So you’re not having to deal with multiple usernames and passwords. You’re not having to worry about how do you configure this system’s password policy and this system’s password policy. You’re only managing your passwords from one place. It’s a better user experience, because when you tell your users, okay, instead of having to have 18 sticky notes next to your desktop or your laptop, you just keep this one password in mind that gives you access to everything.
Eric Ellenberg: On the flip side of that, it also makes it, actually, easier for your IT people. Your admins have one point of control to manage access to all those resources. It makes it a lot easier for your users and your admins to manage how they’re getting access to the company resources. You see some things over here on the right that…this creates a lot of problems if you don’t have something like this in place nowadays. You have just plain chaos. There’s all these different things to manage.
Eric Ellenberg: Of course, that presents a security risk. It’s hard to get users set up, so, again, to the point of efficiency. When you get a new user or a hire a new employee or you’re offboarding an employee, you have to set up eight different accounts for that one person in eight different places. You have to turn off an account in eight different places for one person. Do all those procedures get followed? Who is enforcing those procedures? Who is auditing those procedures? If you have one place, it makes it a lot easier, because you’re going to one place. You’re checking it, and you’re saying, okay, we turned all those accounts on or we turned it all off, bingo.
Eric Ellenberg: That gets into scalability, because, as you’re growing, you want your security solutions to grow with you. You don’t want to have to do a security initiative and say, okay, everybody, we’re going to create a more secure culture. We’re going to focus more on how we do our IT. We’re going to focus more on how we get access to things. This is how we’re going to do it. Then a year later, your business is doubled in size. You’ve got double the amount of employees. You say, okay, everybody, all that stuff we talked about last year, we’re going to have to throw it all away, and we’re going to have to do this new thing that’s actually going to work for this size organization. So it has to scale.
Eric Ellenberg: Really, if it doesn’t scale, it doesn’t work. If you have to do new solutions, new product, new implementations for these different security solutions on any kind of revolving basis, it’s going to be painful, because security is affecting how people are getting access to things to actually do their jobs. If you’re changing that process of how they’re doing their jobs, it can be very painful. Then if you’re changing that process of how they’re getting access to data to do their jobs on a regular basis, that’s creating chaos for yourself from a management level. People start to complain. They say, well, I’m not going to change this, or I’m not going to put up with this. This can create problems for you. If it doesn’t scale, it just doesn’t work.
Eric Ellenberg: The focus is to add protection without headache. You want to be able to layer in different protections, different pieces of the security puzzle, without having people to pull their hair out, them and you. You want it to be easy to roll out. You don’t want to say, okay, everyone, here’s the thing we’re going to do, and here’s the timeline we’re going to do it. It’s going to take six months, and we’re going to have to fundamentally change these systems and these systems and these systems. Really, what you want is I have my business working fine just the way it is today. What are some things I can add to it or can plug in to it to make it more secure? So you want it to be easy to roll out so you can plug those different products and solutions in and you have the extra layers of protection.
Eric Ellenberg: Then, again, talking about growth and scalability, you want it to be easy or simple to add new systems and applications. If you don’t have a way in that security solution to plug in new applications and new systems, then you’re setting yourself up to have to go through another security solution a year or two down the line when you need some new application or some new system added to your business to make yourself more efficient and to keep growing. So it has to be easy to roll out with what you have, but it has to be simple to scale that to other systems and applications as you grow.
Eric Ellenberg: So, yet again, here are some figures from Gartner, just kind of covering what it takes. What’s at stake for this access management, for having a more modern IT security foundation? The only one I’m going to mention here is the center piece right there. 81% of breaches involve stolen or weak passwords. A lot of us have seen where … I’ve gotten an email from … I think it was just this morning, Zappos. The website Zappos had an information breach, and I got an email saying, “So your information was included in this breach, and it may have included your username and password, so you need to reset that.” That’s something that Zappos knew about and emailed me about.
Eric Ellenberg: But the nature of just having our information spread across the internet, we’re doing business with all these places, is that we’ve set up an account with those different places. Do we remember all those usernames and passwords? Maybe, maybe not. This figure, this 81% of breaches involve stolen or weak passwords is leaning very strongly to maybe not. So if we have better control of our access to systems that are important for our business, then we’re going to have better control of making that number zero. That’s really what we want. That’s what we’re looking for.
Eric Ellenberg: So the final component here is to talk about awareness. How do we make a strong security culture? It starts with our people. How do we get our people to be more aware about what’s out there, what are the different ways that malicious actors can trick them into divulging information that’s sensitive? We have to make them aware of what those things look like. So the cycle here is that you have to train people. The phishing is going to continue to happen. With training, they’re going to identify the current methods. So all the different malicious actors out there across the world are doing things a certain way today. The security solutions, the people out there building those and implementing those, they’re getting smarter, and they’re getting better at identifying those malicious-looking emails, those scammy phone calls. So the security vendors out there step up.
Eric Ellenberg: Well, as soon as they step up and they close all those loops, they identify all those different threats, the actors are iterating too. They are also working on new ways to attack us, new ways to get our information in our systems. So there has to be a cycle of training. Then the phishing continues to happen. Then we analyze how the phishing is happening and how are our users responding to those different kinds of threats, and then training them again. It has to be a cycle. Security is a process. It’s not a destination.
Eric Ellenberg: This is about educating team members to recognize security threats, and that just, again, goes into what this looks like, where if you’re training people to identify these things, initially, they’re going to say, okay, well, I have a lot of this coming in. People are clicking on things left and right. But, very quickly, within 12 months, you see the average user is only clicking on those things 2% of the time. So it can make dramatic effects if you have some security awareness in your organization.
Eric Ellenberg: Now I want to hand it over to Alena to talk a little bit more about our solutions and have a demo. So take it away, Alena.
Alena: Thank you, Eric. All right. Our job at 1Path is to help our users, help our clients, and just educate as many people as we can. But there are tools out there. We’ve combined them. We’ve vetted them, and we really think that we’ve got what we need here. So let me share my screen, show you what this looks like from a user perspective. First things first, we’ve got a single sign-on portal. This is really the only thing I need to log in when I come into the day. Notice I have a forgot password link right here. This will actually let me reset my password without even having to reach out to IT. I’ve got an email option, an SMS option. I can answer my security questions. This could be used with a multi-factor as well, multiple options to reset here. Let me go back here and back to my sign-in.
Alena: Now here’s where I’m prompted for this multi-factor. What is multi-factor? This is something that I know, and something that I have. So I put in my normal password right here, and then I’m prompted to authenticate. I can either do this via my phone, and it’ll send me a push notification. Or I can do this with a pass code. So for the purpose here, let’s just do our pass coed, a one-time pass code. It lets me right in. I’m immediately taken in to my single, secure, very seamless dashboard right here of the user. The first I’m going to do is check my email, right? Let’s go in here. We’ve got a couple of new emails here. So, first one, we got my lovely reminder to complete my training. These are the sessions that were set by 1Path for compliance purposes. I’ve got my link here to take me to my training.
Alena: But let me just show you really fast a phishing test. I’ve got this email here. It’s telling me 1Path has an account that has been affected by a network incident. This is already not sounding great. I haven’t heard about this throughout the office. So I keep reading here. It’s asking me to use this link. Pretty quickly here. It’s giving me a sense of urgency and then I just have a link. Now Eric talked about how we need to be cautious about this sort of thing. I don’t know if you guys can see it very well, but at the very bottom here, it’s actually telling me the URL, and it’s not looking very familiar. So let’s go ahead and mark this as phish. Once I do that, I’m actually told this is a company testing email. It takes it over to my trash.
Alena: So I hover back over to my dashboard. I wanted to work on that KnowBe4 training. I can just click right into that link. It takes me straight into my own user account. I can see all the trainings that I have to complete. It tells me I’ve got 15 minutes worth of training for just the generic internet security information. There’s a fun spotting the phish game, PCI, HIPAA. These can all be set based on your compliance requirements.
Alena: What does this mean? What does this look like? I wanted to show you here a personal risk score. I have all my training. I have phishing attempts. What does that turn into? Well, it turns into a risk score based on my baseline performance. I haven’t completed my training therefore I’m not doing quite good right here. I’m not quite in the green just yet. Company-wide, what does this look like? So we’ve got several advanced reporting tools. We could go through several of these, but let me just pick one that gives a good representation. So this is the last six months here, and let me make this slightly bigger for you guys. We can see that multiple people are clicking through some of these emails, actually, most notably anything that’s coming from a manager asking to download a file, HR notifications. Those happen all the time. We’ve got company policy announcements. So it’s giving me a good overarching report for our company or your company.
Alena: As a user, I’ve got my dashboard. I can view through my personal added tools. I can sort through my user role-specific tools. I can even add applications here if I wanted to create my own. I’ve got my Dropbox. I can just continue to add as many of these as I need to. These will all populate in my personal portal here. Really, all we wanted to show you is the simplicity of this. I’m logging in one time in the morning. I can check email. I can access my apps. I can access ADP. I can see all my payroll records, all that good stuff.
Jennifer Henderson: All right. Thanks, Alena and Eric, so much for sharing all that information. That’s all the time we have for today, and I think we’ve reached the end of our questions. I want to thank everyone for your time today talking about this. If you have any questions afterwards, please just email me, or you can emailing marketing@1Path.com. That’s with the number 1, P-A-T-H.com. We’ll keep you updated. So everyone have a great day, and thank you so much.