A culture shift in security was unavoidable during COVID-19. Employees need to sharpen their security awareness and companies need to gauge their workforce's attention to detail.
The pandemic "put us in a position where we have to rapidly assess and look at new types of risks that could change our security posture," said Katie Jenkins, chief information security officer at Liberty Mutual Insurance, on an online panel hosted by MIT Sloan CIO Digital Learning Series on Wednesday.
Between maintaining business continuity and employee well-being, CISOs had to decide if this unprecedented time in a worker's life was an appropriate time for security exercises — fake phishing emails, malware reporting, even testing fraudulent links to Zoom meetings.
For Jenkins, running security exercises in this context is imperative. Andrew Stanley, Mars, Incorporated CISO, took a different approach, delaying security exercises amid multiple crises.
To test or not to test
Employees are the gatekeepers of an organization's security. Without continuous training, their awareness can diminish.
"Most of my peers in the industry pulled back on [phishing exercises] to say, 'look, we don't really want to bother employees right now, they're adjusting to a lot of things," said Jenkins. "I made the choice to move forward and continue doing those exercises because I thought now, more than any time, we need to make sure that those skills [are] sharp across the board."
For Mars, the decision to run security exercises "has been super controversial in the team," said Stanley. The team was split between capitalizing on the moment and the subsequent vulnerabilities it would expose. Now could be an opportunity to educate more employees.
"On the flip side, in the Mars culture, that is deeply alienating," he said, referring to the personal crises (physical, medical, financial), employees might be experiencing. "To go through and do that exercise felt unfair, and it felt like it was exploiting them."
But the Mars team "debated the living daylights out of this topic," said Stanley, ultimately landing on a slight delay in routine exercises.
Typically, Mars launches anti-phishing exercises every six weeks; instead, the company waited 10 weeks before deploying an exercise to employees.
The result? "We did see an increase in vulnerability. We did see issues and we expected it," said Stanley.
Employees confronted with their weakness in security awareness lead to a behavioral shift, and a willingness to change, said Stanley. Training engagement and an attitude geared toward change was uncovered — now Mars has to keep up.
"As an enterprise, we weren't ready to change," because the company was dealing with a host of issues unforeseen prior to the pandemic, said Stanley. Third-party risks, especially among workers based in last-mile delivery infrastructure, turned "the problem on its head. It's been an impressive time, both to the positive and the negative."
Liberty Mutual's approach to running exercises had a similar empathetic approach toward employees and their well-being, though the company did ultimately pursue exercises per usual.
Jenkins checked in with a given department before their cycle of testing was deployed, asking leadership, "are you crisised-out?" They said no, "it's really important for us to go through a cyber crisis tabletop exercise, while we're remote and test their capabilities and decision making in a different way," she said.
Where to start: Find the risk
The willingness to find weaknesses in employee behavior helps CISOs determine their company's readiness for a cyber-related incident and assess risk.
The majority of cyber incidents, 90%, are caused by human error, said Keri Pearlson, Executive Director, MIT Cybersecurity at MIT Sloan, speaking on the panel. With the most destructive incidents, ransomware attacks resulting in data breaches, sent through phishing schemes, CISOs need to know where the risk is coming from inside the house.
"I go back to an earlier time when we found a vulnerability that was inside a software system. But in order to get to that vulnerability, you had access to the CEOs, desktop and all the financial information of the organization," said Danny Allan, CTO of Veeam Software, while speaking on the panel.
The vulnerability was cross-site scripting, but this particular situation "didn't matter because the attacker wasn't going to go after a little vulnerability somewhere deep in the system." They were going after financial records and accessing information they weren't supposed to, said Allan.
Running tests and exercises helps non-technical leadership grasp where the risk exists in different segments of the business. When Jenkins can relay how a ransomware attack can knock Liberty Mutual claims analysts off cases for a period of time, the board is more accepting of risk valuations without money, she said.
Assigning a dollar amount to exact risk scenarios — like the one articulated by Allan — for the purpose of board presentations is a nearly impossible task for CISOs.
Calling out certain risks is also "essentially picking a fight with the risk owner," said Stanley. There are some cases risk owners could turn around and say "You're not valuing me enough, do you realize how important that product is?"
Correction: This article has been updated to reflect Andrew Stanley is the CISO of Mars, Incorporated.