Did you know that October is National Cyber Security Awareness Month? While not exactly up there with Mother’s Day and the 4th of July, it’s actually a very important topic for all businesses today.
Anybody who pays attention to this issue knows that the vast majority of data breaches are NOT due to failures of the “hard shell” of technology measures that protect internal networks and data but rather from the “soft” side of human factors. Almost every breach publicized was caused by a human mistake rather than a technology flaw and/or the impact was exacerbated by human mistakes.
The September 2015 issue of the Harvard Business Review has a great article suggesting that we can take lessons from the military on how they’ve transformed from a highly vulnerable IT colossus to a nimble and effective defender of its systems. According to the article, the military has successfully repelled 30 million attacks over a 10-month period ending in June 2015 with fewer than 0.1% compromising systems in any way.
To do so, they embraced the concept and practices of “high reliability organizations” (HROs). HRO theory has its origins in places like air traffic control, space flight and nuclear power plants…places that combine complex interactions between people and technology with the reality that a single mistake can cascade into disasters with tragic consequences. At the heart of all successful HROs are 6 key principles:
- Integrity. A deep culture that not only commits to omit errors of commission but also to immediately notify supervisors of any deviation from protocol. Even a small deviation is immediately noted, reported, investigated and resolved so that small deviations neither grow into big problems nor do they contribute to a culture that “lets things slide.”
- Depth of knowledge. Understanding the entire system and its vulnerabilities allows people to put attention where breaches are most likely. Operators are rigorously trained…and cross trained, so that barriers to understanding the complexity of sub-system interactions are less likely to lead to something “falling through the cracks.”
- Procedural compliance. Compliance is not assumed. It’s formalized (think of a pilot’s checklist), trained, re-trained and regularly inspected. HROs are no place for participants to rely on their talent, skill and memory since even a small deviation can cascade. There’s simply no tolerance for deviation.
- Forceful backup. Any high risk activity is performed by at least two people, not one. A nuclear missile launch requires two keys…a co-pilot backs up the pilot in a jetliner. And in well-run HROs, even the most junior person can call a halt to the process if they believe something is out of compliance.
- Questioning attitude. This may be the hardest to achieve since all of the other themes create a very structured and hierarchical approach. HROs, however, do not rely simply on blind adherence to rank. They rely on people to double and triple check and take the initiative to “ask the dumb question.”
- Formality in communication. Just like in communication between an air traffic controller and a pilot, there’s very prescriptive methods of communication. The letter “A” is spoken as “alpha” so as not to be mistaken with the number “8.” There’s no small talk that could lead to distraction. Something as simple as courteously holding a door for someone entering a badge-controlled area could allow a cyber-thief access defeating a sophisticated authentication system.
The article goes on to give us very specific ideas on how to build an HRO around information security. Specifically, the authors recommend you:
- Take charge
- Make everyone accountable
- Establish uniform standard and centralized control of training
- Combine formality with forceful backup
- Check up regularly (i.e. inspect, inspect, inspect)
- Remove any fear of honesty, and couple that with merciless consequences for dishonesty
With all that great advice, the only thing I’m left wondering is what kind of card I’m supposed to get the CIO to celebrate National Cyber Security Awareness Month.