In the world of Cybersecurity, employees and contractors are
often blamed for any security breaches that occur. This is just the human mindset these days, and
we are literally brainwashed into thinking that they are often viewed as the weakest
link in the security chain.
However, I take a different approach to this. I firmly believe that blame and accountability
should not be cast until a full examination is done, and it has been determined
what the root cause of the security breach was.
But unfortunately in our society, we have an itchy trigger
finger to cast the blame, and very often it is the CISO that is first to
fall. I take the contrarian view of
this. I firmly believe that employees
are probably one of the biggest assets a company can have, especially those
that have stayed around for a long time.
With this kind of mindset, it is also important to realize that
employees need help to protect themselves even outside of the office.
The crux of this issue lies in the use of the many social
media sites that are available today.
Although a manager at the workplace can put restrictions as to what employees
can post on these sites during work hours, they have no control over what
happens after that. So for instance, an
employee can post whatever they want to on Facebook, Instagram, Twitter, etc.
whatever they want to.
But keep in mind that the Cyberattacker is building up a
profile of their victims on these same sites.
They do it very cunningly, in a slow time manner so that nobody will
notice, and they will even use the tools of Open Source Intelligence (also
known as “OSINT”) to get whatever more information they can.
For instance, one can get all of the contact details of a
victim, and even where he or she may live at, and even all of the details of
their family members.
Once the Cyberattacker has built up this profile, they can target
these unsuspecting victims at their place of employment. In these kinds of cases, Social Engineering
is the preferred attack vehicle. Some
illustrations of this include launching BEC like Phishing emails, or simply
getting on the phone and scaring a lower level employee (such as an
administrative assistant) into giving away confidential information that can be
used later in an APT attack.
So as one can see now, protection of employees in both the workplace
and at home is now becoming a blurred line, and an impact in one area will have
a cascading impact in the other, with possible, devastating consequences.
So while a CISO may think that giving Security Awareness
training once a quarter may be enough, this is not the case anymore, given the digital
world that we live in. Now of course, a
manager cannot tell an employee what they can or cannot do after work hours,
they can at least for sure offer some kind of tips and advice to help protect
themselves more.
So what can be done about this? Here are some key steps for the CISO and the IT
Security team:
1)
In the Security Awareness Training programs,
although the primary focus should be on workplace safety, there should also be
some time spent on teaching employees on how to stay safe after hours – especially
on the social media sites.
2)
If you make use of Password Managers in the
workplace, try to offer the same for your employees after work hours. For instance, point their way to a free
version of Last Pass, or perhaps even offer to pay for half of the subscription
package if they still want to use a paid version of it (this can be actually
padded into the benefits package).
3)
Have your IT Security team set up “office hours”
for employees. By this, employees can
approach a team member and ask questions and get help about their home
security, or even get tips and advice into how to do something better. If an employee is working remotely, then he
or she can use these hours to figure out how to better fortify their home network,
so that there are no holes or gaps when interfacing with the business network.
4)
Train your employees into what to look out
specifically in terms of Social Engineering attacks. After all, what takes place at the work
environment can also happen in the home environment as well. Most importantly, teach them in how to avoid
Vishing, Smishing, and Robocall attacks.
Remember, Phishing attacks just don’t have to come in email. It can also come in the form of a text
message, an instant message on Facebook, or even in an In Mail on Linked In.
5)
Keep a central repository of available literature
and resources that your employees can readily access. Always be available if they have questions
about any of the content.
6)
Keep an open lines of communication. For instance, if your employee needs help
with a suspected Phishing email in their personal account, a member of the IT
Security team should be able to help out.
In this regard, even consider having a 24 X 7 X 365 hotline. I have written about this before, and employees
should feel free to call in after work hours if they have a problem. Of course, this number should be used for work
related Cyberthreats, and you don’t want your IT Security team to be inundated with
personal issues. So consider a rotation
cycle where one member can handle only these kinds of calls from employees.
My Thoughts On This:
As I mentioned earlier in this blog, the lines of what is
now personal and work related has literally vanished, given the fact that now everything
is pretty much interconnected with another. Protecting employees has to go
beyond the workplace and into their personal lives. The CISO cannot treat employees as the weakest
link in the security chain.
If they take the opposite view, then employees will realize
that there are truly a valued resource.
If the levels of Cyber Hygiene improve at home, then there is a greater
chance that will spill over also into the working world.
No comments:
Post a Comment