Alas! We get to one of my (Jennifer Lyn Walker) favorite 15CFAM topics, cybersecurity culture. Walking back through WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities guide, we wrap up another three relevant FUNdamentals into one. For this ‘15 Cybersecurity Fundamentals Awareness Month’ (15CFAM) series post we visit #8-Create a Cybersecurity Culture, #9-Develop and Enforce Cybersecurity Policies and Procedures, and #12-Tackle Insider Threats.

Ok, not surprisingly, #9 is NOT one of my favorites, but it is an integral part of organizational culture, cybersecurity or otherwise. If you don’t develop, communicate, and enforce clear expectations (policies and procedures) on how staff should conduct themselves and fulfill their responsibilities, there will likely be a bit of a free-for-all, a lot of inconsistencies, constant questions, or worse. Without policies and procedures, staff are likely to make decisions that place the organization (and themselves) at risk. When staff are unaware of expectations, they may do nothing because they didn’t know what to do, or they make unilateral decisions because they didn’t know who to ask. Policies and procedures govern organizational culture. Cybersecurity is no different. One of the most useful policy resources is the Simple Cyber Governance Program (SCGP) from OT/ICS cybersecurity firm Langner. SCGP are comprehensive, ready to use cybersecurity policies specifically designed for critical infrastructure and industrial organizations. There is a modest subscription fee for full use/editing of the SCGP policies, but everyone is welcome to download complete evaluation copies in PDF to review at their organization.

While #9 is admittedly not my favorite, #8-Create a Cybersecurity Culture is! Cyber is an integral part of nearly every minute in our personal lives and a cost of doing business. Given that phishing is consistently the leading technique of successful cyber attacks, it confirms the words from the World’s Most Famous Hacker, Kevin Mitnick, it’s easier to get a person to reveal something than it is to “hack” a computer. In other words, it takes far less effort to exploit a person through an email than it does to exploit a computer through a technical vulnerability – making cybersecurity less about cyber and technology and more about people. NCSAM in particular touts that cybersecurity is everyone’s responsibility. A good cybersecurity culture involves affecting positive behavior changes, and an effective cybersecurity culture starts at the top. Previous NCSAM campaigns have focused on the importance of cybersecurity culture from the break room to the boardroom, meaning every executive and board member needs to be involved to set the culture of the organization. For more poignant thoughts on creating a culture of cybersecurity, WaterISAC’s own Lead Analyst, Chuck Egli recently penned his thoughts for CWEA in Lessons from a Year of Crisis. And for additional perspectives from peer utilities, in case you missed it, members can access WaterISAC’s July 8, 2020 webinar on Creating a Cybersecurity Culture.

Finally, without a positive cybersecurity culture, I contend that #12-Tackling Insider Threats becomes more difficult. Similar to the importance of the human element in creating a cybersecurity culture, the insider threat is a people problem, not a technology problem. While technology controls are important to detect insider incidents, insider threats (malicious or accidental) are more effectively deterred by a positive cybersecurity culture. When the cybersecurity culture is strong, everyone is more attuned to observing and reporting behavioral indicators that might predicate an insider threat before it is too late. In September we published a couple of posts for National Insider Threat Awareness Month (NITAM) in the Security & Resilience Update on September 1, 2020 and September 15, 2020, including links to resources from the CERT National Insider Threat Center (NITC). NITC resources include the Insider Threat Blog and the sixth edition of the Common Sense Guide to Mitigating Insider Threats, arguably the most authoritative resource on insider threats.

We hope you have been enjoying and finding some value from this series. If you have missed any, or would like to revisit the ‘15 Cybersecurity Fundamentals Awareness Month’ posts, please search ‘15CFAM’ in the WaterISAC Resource Center.