Modern field guide to security and privacy

You don’t need to be anti-social to be cybersecure

Fighting the human need for connection is a losing battle — instead, fix the systems that protect your employees inexpensively and non-intrusively

Michael Bonfigli/The Christian Science Monitor
Greg Boison, Director, Homeland & Cyber Security at Lockheed Martin, spoke at an event hosted by Passcode, a section of The Christian Science Monitor, in Washington, D.C. on Oct. 1, 2015.

Cyber attackers looking for social media clues about their corporate targets have plenty of help.

Job hunters litter the Internet with their skills and abilities while current employees looking for Mr. or Mrs. Right start online dating profiles or are lazy screening pending connections in apps like LinkedIn and Facebook.

Knowing that attackers are looking for this type of social information to target and inform their attacks on your company, the possible risks to digital disclosure kind of makes you want to be antisocial, right?

Fighting the simple human need to connect with others is a battle any organization will lose. Instead, cyber defenders need to cope intelligently and cost-effectively with the risk of skilled social engineering.

1.    Is the threat bigger than a breadbox?

Any effective and efficient cyber defense has to begin with this basic question: How great is the threat I face? Defenders must gauge what information they need to protect and respond appropriately.

Some enterprises’ information may be too valuable to take almost any social risks. Naturally, securing data at a local McDonald’s franchise requires a different approach than securing the NSA — but what, specifically? What percentage of transactions are credit cards? How would a breach be insured? If you lost 10 percent of your business following an exposure, what would be the economic impact? Answering questions such as these will tell you how to best approach your cyber defense and your level of comfort with employees use of social media.

2.    The best things in life are free.

Using the right tradecraft or the thoughtful and skilled analysis of seasoned human network defenders can help evolve an organization’s security at little to no cost. Identify your existing resources and tune them to disrupt the threats your enterprise actually faces. With that understanding, you can add additional defenses for greater resiliency.

This is far more valuable than integrating a popular but costly tool into existing processes. Take spear phishing, the most common way attackers attempt to use social information, for example. Tagging external emails before they land in your employees’ inboxes as “EXTERNAL” in the message header gives employees a chance to act appropriately and serves as a flag that they should assess whether the email should be trusted.

The cost? Trivial. 

3.    It’s not you... It’s me.

The question is not if you should buy a given cybersecurity technology because others are buying it or because it scores well in analyst reviews. The far more important issue is how the tool fits into your current defenses.

Does it overlap or conflict with existing tools? If it provides additional functionality, is there another tool that provides a similar function for significantly lower cost? It is, after all, all about you. And how are you using what you already have? Are you leveraging the information about attempted and successful breaches? A relatively simple knowledge management tool that can be rapidly searched and store information about potential threats is the most fundamental step to embracing intelligence-driven defense.

By examining your current cybersecurity posture and considering the three points above, you can take your enterprise from being vulnerable to possible “social” risks to an intelligence-driven, strong and stable network defense.

Being social, it turns out, does not mean you cannot also be secure.

Greg Boison is the Director of Lockheed Martin’s Homeland & Cybersecurity line of business. This diverse portfolio includes capabilities in systems integration, software development, enterprise IT, credentialing, biometrics, and cybersecurity. Follow Greg on Twitter @gregboison.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.