Soft and Chewy on the Inside Makes the Perimeter Irrelevant
A CISO liked to describe her enterprise as “hard and crunchy on the outside, soft and chewy on the inside”. She was proud of her perimeter defenses and felt her firewalls and IDS were so well implemented she could get away with weak security within. After all, she said her company couldn’t afford to secure everything, so she focused on the perimeter. Tags: cyber security ,
Such is the dilemma of the modern CISO. The problem with her approach is it wasn’t risk-based. She focused on the perimeter without understanding where her greatest risks were. In her case her business bought goods internationally, therefore the employees communicated extensively via email with international clients. This was a situation ripe for phishing or spear phishing attacks. Her uninformed employees would routinely click on emailed attachments originating from unknown (untrusted) external users. Many of these emails contained exploits which spread throughout the network, giving away sensitive information and serving as a launch-point for other attacks. Her soft and chewy inside was easy pickings.
If only her employees understood how to properly defend against such attacks. A program of repetitive tactile exercises would help them understand how to recognize such emails so they would know what to do if they received one. Better yet, if the employees were involved in the process of creating and implementing good security practices at the company they would care more about security as a whole.