Page 6 - NBIZ MAGAZINE December 2021
P. 6
A strong security culture can help 0 Leveraging professionals who
avoid situations like these and other Business Email Compromise have a long history of building and
scams by creating a heightened sense (BEC) is an exploit in which an improving information security
of security within the organization attacker obtains access to a environments from the top down
to verify before trusting such emails can prove to be an invaluable
or other communication. Having business email account and resource. A consulting firm may
a strong control environment also imitates the owner's identity, reduce the likelihood of costly errors
ensures that all payments go through in order to defraud the occurring, help manage the project,
a certain level of approval based on company and its employees, provide years of relevant experience,
dollar amounts besides ensuring customers, or partners. facilitate internal communications,
segregation of duties controls. provide input on other relevant
Leaders should create a culture of topics such as business process
collaboration and reward employees not click on the email that was sent improvement or risk management,
for bringing up security concerns out because they had gone through and/or anything else agreed upon in
timely. This not only allows everyone the security awareness training which the project scope. This will provide
to feel accountable but also creates an educated them on what to look for as an organization with a scalable
opportunity for the employees to act part of phishing emails. The point of amount of human capital at agreed
as guardians for the organization. If note was that the VP who had sent out upon costs, as opposed to either
the tone at the top is security-oriented the email had not taken the training as hiring a set number of employees
then employees will reach out to their mandated by himself but also clicked or being time-constrained based
leadership without any fear of reper- on the phishing simulation email. on the current amount of available
cussion. As in the example described, We see several situations where the employees – assuming they don’t get
the CFO could have been called to C-Suite does not want to comply with assigned additional projects/respon-
verify the contents of the email. the IT security policies that the rest of sibilities in the same time frame.
the organization complies with. This
But Who is a Leader? not only creates the culture of “Why 0 Internal committees are a great
To create a security awareness should I do it when the leadership does way to facilitate regular communi-
culture within an organization, many not believe in this?” but also ensures cation in larger organizations and
individuals can be considered leaders. that the upper management, who are will allow the responsible group
Ranging from the executive manage- typically carrying a lot of sensitive to attain buy-in and receive input
ment team to managers overseeing information with them, are at higher from multiple leaders at once. This
the corporate office, changes in risk of being compromised. It is imper- will ensure that leaders are on the
culture must start from the top down ative that the leaders lead by example same page during the planning
and be enforced at every level of and set the tone for the workplace. phase, and that the organization
authority. Any deviations from the can be better coordinated during
goal may create ripples through the Planning Matters the implementation phase – result-
organization, with higher-ranking At the end of the day, any organiza- ing in the smoother deployment of
leaders causing larger setbacks due tion looking to add security awareness planned changes.
to noncompliance and leaving the to their own internal culture should do
organization more exposed to social so only after extensive planning. While Countless factors go into success-
engineering attacks. the responsibility for information fully changing one’s organization’s
As part of a consulting firm, security may fall on a certain group of culture, but the importance of attaining
we encounter many situations that people, this group should attain buy-in buy-in and/or help from internal lead-
could merely be avoided if the whole and seek input from leaders through- ers should not be underestimated. N
organization took security seriously, out the organization and work closely
including the upper management. with them for the implementation of Madhu Maganti is a Partner at ABIP
We ran into a peculiar case at a large any planned changes. Doing so, may Advisors where he leads the Cyber-
healthcare organization where a VP reduce the burden on the responsible security and Technology Advisory
sent out an email that mentioned that group, improve employee attitude services. With more than 20 years’
all employees would need to do the towards changes, and ensure a more experience, Madhu had worked closely
security awareness training, and that seamless experience overall. with clients across a variety of indus-
anyone who does not attend it will be Depending on the size or scope tries to ensure compliance, identify
fired. Unbeknownst to the VP, there of the project, it’s not uncommon for security risks, mitigate threats, and
was also a phishing campaign that organizations to partner up with spe- protect data by performing cyberse-
was being run for everyone in the cialized consulting firms or establish curity assessments among a host of
organization. The results were that a internal committees with representa- other services. He can be reached at
large percentage of the employees did tion from multiple business groups. mmaganti@abipadvisors.com.
6 NBIZ ■ December 2021
