Page 6 - NBIZ MAGAZINE December 2021
P. 6

A strong security culture can help                                    0 Leveraging professionals who
        avoid situations like these and other   Business Email Compromise          have a long history of building and
        scams by creating a heightened sense   (BEC) is an exploit in which an     improving information security
        of security within the organization    attacker obtains access to a        environments from the top down
        to verify before trusting such emails                                      can prove to be an invaluable
        or other communication. Having         business email account and          resource. A consulting firm may
        a strong control environment also      imitates the owner's identity,      reduce the likelihood of costly errors
        ensures that all payments go through      in order to defraud the          occurring, help manage the project,
        a certain level of approval based on   company and its employees,          provide years of relevant experience,
        dollar amounts besides ensuring           customers, or partners.          facilitate internal communications,
        segregation of duties controls.                                            provide input on other relevant
        Leaders should create a culture of                                         topics such as business process
        collaboration and reward employees   not click on the email that was sent   improvement or risk management,
        for bringing up security concerns    out because they had gone through     and/or anything else agreed upon in
        timely. This not only allows everyone   the security awareness training which   the project scope. This will provide
        to feel accountable but also creates an   educated them on what to look for as   an organization with a scalable
        opportunity for the employees to act   part of phishing emails. The point of   amount of human capital at agreed
        as guardians for the organization. If   note was that the VP who had sent out   upon costs, as opposed to either
        the tone at the top is security-oriented   the email had not taken the training as   hiring a set number of employees
        then employees will reach out to their   mandated by himself but also clicked   or being time-constrained based
        leadership without any fear of reper-  on the phishing simulation email.   on the current amount of available
        cussion. As in the example described,   We see several situations where the   employees – assuming they don’t get
        the CFO could have been called to    C-Suite does not want to comply with   assigned additional projects/respon-
        verify the contents of the email.    the IT security policies that the rest of   sibilities in the same time frame.
                                             the organization complies with. This
        But Who is a Leader?                 not only creates the culture of “Why   0 Internal committees are a great
           To create a security awareness    should I do it when the leadership does   way to facilitate regular communi-
        culture within an organization, many   not believe in this?” but also ensures   cation in larger organizations and
        individuals can be considered leaders.   that the upper management, who are   will allow the responsible group
        Ranging from the executive manage-   typically carrying a lot of sensitive   to attain buy-in and receive input
        ment team to managers overseeing     information with them, are at higher   from multiple leaders at once. This
        the corporate office, changes in     risk of being compromised. It is imper-  will ensure that leaders are on the
        culture must start from the top down   ative that the leaders lead by example   same page during the planning
        and be enforced at every level of    and set the tone for the workplace.   phase, and that the organization
        authority. Any deviations from the                                         can be better coordinated during
        goal may create ripples through the   Planning Matters                     the implementation phase – result-
        organization, with higher-ranking      At the end of the day, any organiza-  ing in the smoother deployment of
        leaders causing larger setbacks due   tion looking to add security awareness   planned changes.
        to noncompliance and leaving the     to their own internal culture should do
        organization more exposed to social   so only after extensive planning. While   Countless factors go into success-
        engineering attacks.                 the responsibility for information   fully changing one’s organization’s
           As part of a consulting firm,     security may fall on a certain group of   culture, but the importance of attaining
        we encounter many situations that    people, this group should attain buy-in   buy-in and/or help from internal lead-
        could merely be avoided if the whole   and seek input from leaders through-  ers should not be underestimated. N
        organization took security seriously,   out the organization and work closely
        including the upper management.      with them for the implementation of   Madhu Maganti is a Partner at ABIP
        We ran into a peculiar case at a large   any planned changes. Doing so, may   Advisors where he leads the Cyber-
        healthcare organization where a VP   reduce the burden on the responsible   security and Technology Advisory
        sent out an email that mentioned that   group, improve employee attitude   services. With more than 20 years’
        all employees would need to do the   towards changes, and ensure a more   experience, Madhu had worked closely
        security awareness training, and that   seamless experience overall.     with clients across a variety of indus-
        anyone who does not attend it will be   Depending on the size or scope   tries to ensure compliance, identify
        fired. Unbeknownst to the VP, there   of the project, it’s not uncommon for   security risks, mitigate threats, and
        was also a phishing campaign that    organizations to partner up with spe-  protect data by performing cyberse-
        was being run for everyone in the    cialized consulting firms or establish   curity assessments among a host of
        organization. The results were that a   internal committees with representa-  other services. He can be reached at
        large percentage of the employees did   tion from multiple business groups.  mmaganti@abipadvisors.com.

        6  NBIZ  ■ December  2021
   1   2   3   4   5   6   7   8   9   10   11