Opiniones | Opinions | Editoriales | Editorials

What enterprises should do when helpless employees lose hope in fighting cyber attacks

Picture of System Administrator
What enterprises should do when helpless employees lose hope in fighting cyber attacks
by System Administrator - Friday, 19 June 2015, 12:54 PM
Colaboradores y Partners

What enterprises should do when helpless employees lose hope in fighting cyber attacks


By David Geer

What is the victim mentality and how can enterprises avoid it?

Hit too many times with successful attacks and compromises, an enterprise’s human resources can develop a victim mentality, a.k.a. learned helplessness. When this happens, employees who feel they are helpless to do anything effective to fight cyber attacks lose hope.

CSO looks at the symptoms of the victim mentality in the enterprise, how it comes about, and what enterprises can do technically and psychologically to avoid it.

The victim mentality and its symptoms

In the field of psychology, professionals also refer to the victim mentality as learned helplessness. “Learned Helplessness is a pattern of behaviors that develop in people when they are in a situation where they feel they have no power or control and they essentially give up,” says Steven Salmi, PhD, LP, President and CEO, Corporate Psychologists.

Learned helplessness can surface in the corporate world where constant and extreme information security threats flourish. “If people feel stuck in a situation where no available choice will get them out of it, they can start to shut down,” says Salmi.

There are ear marks or symptoms that can help an organization to gauge whether its people may have succumbed to learned helplessness. One of those symptoms is apathy. “Your people will exhibit passivity and disengage from their work. They won’t put in the discretionary effort that your high performers do,” says Salmi. Or, they may intermittently demonstrate lower levels of engagement.

And because misery loves company, affected employees may try to bring others down or look for co-workers who are already afflicted with whom they can share their emotional state. “People with learned helplessness point the finger, give excuses, shift the blame, and procrastinate. They can be more pessimistic, even defensive,” says Salmi.

People with learned helplessness point the finger, give excuses, shift the blame, and procrastinate. They can be more pessimistic, even defensive.

Steven Salmi, PhD, LP, President and CEO, Corporate Psychologists

One security expert has empirical evidence that supports the psychological interpretation. “I hear continuously that breach is inevitable and you simply must assume compromise and that it is not possible to build systems and security that can stop attackers,” says Eric Cowperthwaite, Vice President, Advanced Security & Strategy, CORE Security.

Further evidence appears when enterprises buy security breach insurance despite the fact that they don’t have a visible security program. “This happens because the organization assumes that breach is inevitable and that they need to try to transfer the risk using insurance,” says Cowperthwaite.

Finally, the victim mentality is visible when security leadership wants to immediately focus on stopping the biggest potential threats such as Zero Day Attacks and APTs before addressing basic security. “They assume that the bad guys are so advanced that the organization cannot stop them by doing the basics of security,” says Cowperthwaite.

Finally, the victim mentality is visible when security leadership wants to immediately focus on stopping the biggest potential threats such as Zero Day Attacks and APTs before addressing basic security. “They assume that the bad guys are so advanced that the organization cannot stop them by doing the basics of security,” says Cowperthwaite.

“In my experience, more than 90 percent of all intrusions, incidents, and breaches occur because the organization didn’t take care of the basics,” says Cowperthwaite. For example, the organization did not apply patches, did not harden systems, did not keep firewalls up to date, and did not have a security leader at the executive level who was directly accountable to senior leadership.

Root causes

There are many enterprise environments where people have a lot of responsibility and information security threats target data they have responsibility for. Even if they try to anticipate the next attack, they really have no idea who is going to launch it or when or how. “If you feel like you have a lot of responsibility in a high stakes environment but very little control to effect a meaningful change, that’s going to create learned helplessness,” says Salmi.

MORE ON CSO: What is wrong with this picture? The NEW clean desk test

Learned helplessness can also come about when a low level manager is in charge of security and has no business visibility to aid him. “This leaves the impression that the organization does not care about proper information security and they are not going to implement basic security measures to keep the enterprise secure,” says Cowperthwaite. The victim mentality arises here because security leadership knows what resources they need in order to secure their systems but they don’t feel that their business cares enough to provide it.

Too much negative security news can also be defeating. “We have been beat to death by media stories about breaches. Every time we turn around someone else is being hacked. That misleads people to believe that anyone can fall victim. But as we dig into these breaches, it turns out that the enterprise didn’t do something basic like patch a test server, which an attacker used to break into the network,” says Cowperthwaite.

Preventing learned helplessness

To prevent learned helplessness or reclaim people who suffer from it, it’s important to foster resilience in people over time, to support and enhance their ability to recover from failure, to be a long-distance runner, and to adjust and come back to a challenge with a new way of thinking and additional resources. The enterprise should always be building a more resilient team. “You can start by hiring people who are more likely to be resilient,” says Salmi.

To support an empowered and resilient team, test and prove the theory that when basic security measures are consistently applied, these can make it harder for the relatively rare attacks of APTs, Zero-Day Exploits, and Nation States to succeed. “Organizations need to stop worrying about APTs and Zero-Day exploits,” says Cowperthwaite, “and start patching vulnerabilities that they’ve known about for years.”

While enterprises can locate available patches with the help of the given software vendor, they may also want to use a patch management software package to ease the process of patching their many systems. There are many patch management products available; a few of them include Desktop Central from Manage Engine, Lumension’s Patch & Remediation, and LabTech’s product of the same name.

Tips to combat learned helplessness

1. Foster resilience in people. Support and enhance their ability to recover from failure.

2. Test and prove security measures.

3. Use patch management products.

4. Harden software. Use auditing software packages.

5. Keep firewalls up to date

In addition to patching software vulnerabilities, basic security measures include hardening systems so that no ports or services are open or functional that are not necessary for the system to do its job. Most popular OS software vendors such as Microsoft, RedHat, and Apple and security organizations such as the NSA, SANS Institute, and NIST publish detailed software hardening instructions that are freely available. In addition, there are enterprise policy managers and auditing software packages that automate software hardening across systems and platforms.

Keeping firewalls up to date is another element of basic security. The enterprise should stay in contact with the vendors that support its hardware, software, network, NGFW, WAF, or any firewalls to receive and apply necessary updates and upgrades as they become available. Where there is a new security update, even for a firewall, there is an old vulnerability it must close and an attacker who knows how to leverage it if the enterprise does nothing.

Lead where you intend to

Avoiding the victim mentality starts and ends with leadership. Enterprises that don’t appoint some sort of security czar at the C-level who is directly accountable to the CEO and the board may be inviting victimization by cyber hoodlums.

There’s a saying that “you can’t lead where you won’t go”. The opposite is also true: you will lead where you do go, and people will follow. If the example is that security is not important, that the enterprise is ill-equipped to deal with information compromise, and that attackers will routinely prevail, employees will follow that lead, likely with a bad case of learned helplessness.

Link: http://www.csoonline.com

Caught in the breach: How a good CSO confronts inevitable bad news


By Taylor Armerding

Breaches are inevitable, but those tasked with detecting and responding to them say there are ways to avoid becoming the ‘Chief Scapegoat Officer’.

What goes through the mind of a CSO/CISO upon being told by his or her team that their organization has been breached?

This is not an idle or theoretical question. It seems that almost every day brings news of yet another breach of a high-profile organization, with the potential number of consumer victims running into the tens of millions, and the costs to the company running into hundreds of millions, or even billions when the long-term cost of brand damage is included.

So it makes sense that C-level executives with “Security” as part of their title would be the ones facing questions about how it happened and what to do about it, not to mention accountability for it. MORE ON CSO: 10 mistakes companies make after a data breach

[How to survive a data breach]

Martin Fisher, CISO at Northside Hospital, admits that the immediate reaction for the typical CSO/CISO will probably include, “a few minutes of panic/denial, then some terror.”

He gets no argument on that from Kim Jones, senior vice president and CSO at Vantiv, who adds “anger” to the list. But both say that for a professional, those initial feelings quickly turn to calmness and resolve.


Kim Jones, senior vice president and CSO, Vantiv

"Find the breach earlier, isolate it and kill it before it gets to the crown jewels."

“The organization is going to look to the CISO to figure out what is going on and provide the quality information needed to respond effectively to the breach event” Fisher said. “Whether ‘at fault’ or not, the CISO owes the best possible leadership to the organization at that critical moment.”

Jones agreed. “The real issue is how long do the non-constructive mindsets last,” he said, adding that that can depend on several factors – whether a CSO has set proper expectation regarding breaches; what has been done in advance to improve security in the infrastructure; and whether the IT program has been built with security as a focus.

“My anger and resolve are focused on stopping the bad guys as early and quickly as possible,” he said, “but I have the luxury of that mindset because I have a leadership team that views security as a brand-enabling value proposition.”

Six stages of data breach denial

1. Panic

2. Terror

3. Denial

4. Anger

5. Calmness

6. Resolve

Peter Chronis, CSO of EarthLink, said whatever emotions are running through a CSO’s mind after a breach, resolve is the one to project. “In times of any crisis, leaders set the tone for how organizations behave, prioritize and react,” he said.

“As security leaders, it is our job to have a tactical plan prepared for the worst circumstances, but we’re also responsible for building a strong strategy to reduce the likelihood that plan will be needed.”

The panic/terror feeling is understandable, however, given the prevailing attitude toward CSOs and CISOs in many organizations. According to a recent survey by ThreatTrack Security titled, “No Respect. CISOs Misunderstood and Underappreciated by their C-Level Peers,” 74% of the 200 executives responding said they thought CISOs should not be part of organizational leadership teams.”

And 44% said the primary role of the CISO is to be held accountable for any organizational data breaches – another way of saying “scapegoat.”

Fisher, joking that the findings should be filed under, “dog bites man,” said the serious point is that in the past, some CSOs, “were more of a pain in the rear to C-levels than anything else.”

To change that, he said, CSOs need to demonstrate business savvy and be willing to, “subordinate the tactical desires of the security team to the strategic/operational goals of the organization.”

Jones has a similar message, noting that in many companies, “CSO stands for ‘Chief Scapegoat Officer’ even to this day. It really creates a perception/morale issue and worse, an efficacy issue.”

Jones said that kind of pressure on CSOs, “forces them to think extremely tactically about issues and problems as they live in fear of the breach, which only exacerbates the perception of CSOs as lower-level wrench turners versus strategic enablers.”

If that perception is going to change, he said, it will likely take efforts by other C-level executives to encourage CSOs to think strategically, and more effort by CSOs to, “link ourselves to the business.”

Chronis said CSOs should stop viewing themselves as “victims of circumstance.” Those who, “build long-lasting credibility and are partners in solving complex business problems will find themselves at the table more often than those who don’t.”


Peter Chronis, CSO, EarthLink

"In times of any crisis, leaders set the tone for how organizations behave, prioritize and react."

Whatever the view of CSOs, they are very likely to deal with breaches. Numerous experts agree that it is impossible to prevent them all, given the skill and sophistication of attackers, and that the entry point may have nothing to do with a technology weakness, but simply a careless employee who clicks on something like a malicious link in a phishing email.

As Jones put it, “I can make it harder for someone to get in, and I can make it harder to get to me versus my competitor, but I can’t absolutely guarantee that we’ll never be breached, even given infinite time and infinite resources.”

At that point, the mindset is on detection and response. An effective response can often prevent attackers from accomplishing their mission. The real disasters – and there are many examples – come when detection fails, and a company learns from a third party weeks or months after the fact that it has been breached and the attackers are still inside their system.

For any CSO without a plan, there are a number available online. One, from Experian, presents a “first 24-hour checklist” that includes securing the premises, documenting everything known about it, stopping additional data loss, reviewing protocols, starting an investigation and notifying law enforcement if needed.

Beyond that is a list of tasks that include fixing the vulnerability that caused the breach, identifying legal obligations and reporting regularly to upper management.

Fisher called the Experian plan, “as good a draft/generic template as any. But the key to any effective IR plan is customizing it to your organization. You have to take organization culture, process, leadership, and capability to build a plan that is actually actionable when the incident happens,” he said.

In general, Chronis said that, “knowing the warning signs, having a response plan and being prepared to adjust it on the fly is your most valuable asset during a potential security event.”

Jones agreed. “My focus for breaches at the tactical and operational levels needs to be on detection and containment. In other words, find the breach earlier, isolate it and kill it before it gets to the crown jewels.”

Link: http://www.csoonline.com


2551 words