Cloud Hosting

Getty

As of January 1, 2020, Californias new Consumer Privacy Act goes into effect, and with it a series of new requirements about how your company protects information. Those protection requirements include, among other things, something called reasonable security when handling that information. Fail to provide that reasonable security, and you could find your company hit with significant fines.

You need to make a data driven decision that having a human firewall is a really good idea.

Whats reasonable security, and how do you achieve it? The California Attorney General lists compliance with the Center for Internet Security list of 20 controls and resources as recommendations as being reasonable security. Whats notable about the CIS list is that theres no specific technology solution. Instead, the means of complying with the CIS Controls is primarily a management process.

Human Firewalls

The danger is thinking that theres going to be a silver bullet, but it never arrives, said Stu Sjouwerman, CEO of KnowBe4, a security training company. As a community in IT, you need to make a data driven decision that having a human firewall is a really good idea.

Getty

The idea of a human firewall is that a company thats properly managed will have employees that wont fall for the social engineering that precedes most data breaches. This means that your employees must be instilled with what Sjouwerman calls a security culture. With a proper security culture, your employees will know not to open phishing emails, theyll know not to send out the company phone book or the CEOs contact information. Theyll also know when to report suspected intrusion attempts to the CISO staff.

Security Culture

Getting a security into your company isnt necessarily the easiest thing in the world, because it requires that your employees not take the easy way out when it comes to protecting your organization. It means they must choose long complex passwords, they must not let people follow them into secure areas and they must not answer questions over the phone unless their role in the organization is that they communicate with the public.

Youre better off hiring the right people and training them, Sjouwerman said. Youre hiring for a security culture. They have a security awareness level so that they can be trained.

Getty

To accomplish this, you need to have buy-in from your board so that you can have the boards backing when you institute security controls and limit your hiring to people who understand why security is important, even if they have to be trained.

Getting your employees motivated to be part of the security culture will take some effort. Youll need an internal sales and marketing campaign, but everyone needs to be sold on the fact that security is important. Sjouwerman said.

Sjouwerman noted that having data breaches covered in the media on a near daily basis helps drive home the need to prevent them. A boatload of those data breaches are caused by human error, he said.

The Management Approach

But if you look at the 20 CIS Controls, youll see that they are management tasks, not technological solutions. A few of the tasks can use technology to implement part of the solution, but in most of the cases there is no hardware or software solution available.

Getty

For example, the requirement for malware protection can use anti-malware software or devices, but the requirement for controlled access based on need to know is purely a management task. Likewise, the task to implement a security awareness and training program requires management desire and the appropriate funding.

No doubt youre aware of the many companies selling products that they claim will solve all of your security problems if only you put them to work in your organization. The problem with these products is that theyre not totally effective. Even the best of the appliances or software packages will let miss some threats, if only because the attackers are very good at finding ways to get past those products you bought.

This doesnt mean that you shouldnt buy these products, because you should. Even though they may miss 5 to 10 percent of the bad stuff thats trying to breach your network, Thats still a lot less than youd have otherwise.

But for your security to be effective, your employees helped by your management approach, need to discover and block the rest.

Employee Focus

To make all of this work, your employees need to see that their management encourages their security awareness. This could mean a bonus for finding and reporting a threat. It could mean the backing of management for reporting a poor security practice in the workplace. It could even mean praise for finding a new and better security practice.

Whats key is that your employees are willingly and even enthusiastically part of the security solution. This should not appear to them to be a burden or to require unreasonable difficulties. The bottom line is that they should want to be part of the security solution.

See the rest here:
Staying Out Of Trouble In 2020 With New Security Practices And Human Firewalls - Forbes