Zero to Safety: People and the CIA Triad

It’s 4pm on Friday afternoon. The weekend is so close you can taste it. You just have to finish up a couple things then you’re out the door for a relaxing Friday night.

Of course, it’s not really going to work out that way, is it? Because, as you know, 4pm on Friday is exactly the time all (you know what) breaks loose thanks to a completely avoidable threat to your entire company’s operation.

Your relaxing weekend becomes an intense operation to stop the threat and repair the damage. All because a well-intentioned employee, working from their home, connected to your network on an unpatched Windows machine and decided four open Google docs took priority over a simple update they could have installed with a restart.

Your employees are your organization’s greatest security threat, but also your organization’s greatest security opportunity.

A New Way to Look at People

As the scope of remote work grows, we find ourselves at a crossroads – continue relying largely on technology to protect an increasingly vulnerable workforce or start assessing people in a way that makes them a pillar of organizational security.

The CIA triad is traditionally limited to data and information security, but expanding its application to all areas of PPT, and doing so in the context of Zero Trust, allows you to address a wider range of vulnerabilities and start building an all-encompassing security culture.

Confidentiality

As an information security leader, it is your responsibility to research the latest and greatest technologies for keeping data and information secure. But no technology can protect you completely from an ill-trained employee.

Assessing the ways your people interact with confidential data is key to protecting the data itself. Training employees against social engineering attacks is one of the best (and cheapest) ways to strengthen your security culture.

So much of this approach hinges on the Principle of Least Privilege. One of the great benefits of a Zero Trust security culture is knowing any employee who accesses a particular piece of data actually has the right to access it. Because of this, you have the opportunity to train each employee on not only handling data, but why it’s important that particular types of data remain confidential.

Think about important information an employee might access offline. It would be considered a massive organizational blind spot if employees weren’t trained to know which types of documents needed shredded and which needed to be filed in specific places.

Viewing potential problems from that people perspective increases security coverage. Now it’s time to apply that same level of responsibility to handling data digitally.

Integrity

We spend a lot of time thinking about data integrity. It’s imperative we apply the same standards of integrity to our people – starting with ourselves.

As leaders of organizational security, we need to be visible and set the tone. In addition to demonstrating requisite knowledge around threat intelligence, we should aspire to being good allies and creating an inclusive security culture.

Most organizations have a process for employees to flag phishing attempts, for example. Too often, this is discussed during orientation and detailed in a new-hire email (which inevitably gets buried under 200 other new-to-the-org emails).

If you receive a phishing attempt, forward it to [email protected] immediately.

What happens after the employee forwards the attempt? Does anyone respond?

If four employees in a department receive the same phishing attempt, they could fall into the habit of assuming someone else will flag it. That creates vulnerability that can be avoided by a security team with high integrity that validates every individual effort.

A simple “thanks for catching this” goes a long way.

Training your team, and then giving a more detailed training to all employees doesn’t cost the organization anything but time. Compared alongside a potential security breach, the ROI of that training starts to look really good to executive leadership.

Availability

In traditional CIA assessments, we think about making sure the right data is available to the right person when they need it. For your organization to stay safe, the same has to be true of you and your team.

It seems simple, but it’s incredible how many small and medium-sized businesses open themselves up to potential threats because a member of the security team went on vacation for a week without coverage.

Organization strapped for IT security talent and resources (approximately all organizations) can navigate shortages and create availability by being diligent about which problems are addressed by technological solutions.

Simply put, you need to assess your availability to implement technology solutions for easy problems and leave problems that require judgement for staff. Knowing that judgement is a uniquely human skill allows you to assess the bandwidth of each person on your team and look for technology to replace the responsibilities that don’t require it.

Building a safety culture where trust is managed actively, and all employees are engaged, starts with giving people the same level of assessment you give the data they protect. Learn more in our section on cybersecurity strategy.

---

This is a multi-part series covering PPT in Cybersecurity’s CIA Triad.