Sunday, February 19, 2023

How Employee Safety Also Extends Into The Personal World

 


In the world of Cybersecurity, employees and contractors are often blamed for any security breaches that occur.  This is just the human mindset these days, and we are literally brainwashed into thinking that they are often viewed as the weakest link in the security chain. 

However, I take a different approach to this.  I firmly believe that blame and accountability should not be cast until a full examination is done, and it has been determined what the root cause of the security breach was.

But unfortunately in our society, we have an itchy trigger finger to cast the blame, and very often it is the CISO that is first to fall.  I take the contrarian view of this.  I firmly believe that employees are probably one of the biggest assets a company can have, especially those that have stayed around for a long time.  With this kind of mindset, it is also important to realize that employees need help to protect themselves even outside of the office.

The crux of this issue lies in the use of the many social media sites that are available today.  Although a manager at the workplace can put restrictions as to what employees can post on these sites during work hours, they have no control over what happens after that.  So for instance, an employee can post whatever they want to on Facebook, Instagram, Twitter, etc. whatever they want to.

But keep in mind that the Cyberattacker is building up a profile of their victims on these same sites.  They do it very cunningly, in a slow time manner so that nobody will notice, and they will even use the tools of Open Source Intelligence (also known as “OSINT”) to get whatever more information they can. 

For instance, one can get all of the contact details of a victim, and even where he or she may live at, and even all of the details of their family members.

Once the Cyberattacker has built up this profile, they can target these unsuspecting victims at their place of employment.  In these kinds of cases, Social Engineering is the preferred attack vehicle.  Some illustrations of this include launching BEC like Phishing emails, or simply getting on the phone and scaring a lower level employee (such as an administrative assistant) into giving away confidential information that can be used later in an APT attack.

So as one can see now, protection of employees in both the workplace and at home is now becoming a blurred line, and an impact in one area will have a cascading impact in the other, with possible, devastating consequences. 

So while a CISO may think that giving Security Awareness training once a quarter may be enough, this is not the case anymore, given the digital world that we live in.  Now of course, a manager cannot tell an employee what they can or cannot do after work hours, they can at least for sure offer some kind of tips and advice to help protect themselves more.

So what can be done about this?  Here are some key steps for the CISO and the IT Security team:

1)     In the Security Awareness Training programs, although the primary focus should be on workplace safety, there should also be some time spent on teaching employees on how to stay safe after hours – especially on the social media sites.

 

2)     If you make use of Password Managers in the workplace, try to offer the same for your employees after work hours.  For instance, point their way to a free version of Last Pass, or perhaps even offer to pay for half of the subscription package if they still want to use a paid version of it (this can be actually padded into the benefits package).

 

3)     Have your IT Security team set up “office hours” for employees.  By this, employees can approach a team member and ask questions and get help about their home security, or even get tips and advice into how to do something better.  If an employee is working remotely, then he or she can use these hours to figure out how to better fortify their home network, so that there are no holes or gaps when interfacing with the business network.

 

4)     Train your employees into what to look out specifically in terms of Social Engineering attacks.  After all, what takes place at the work environment can also happen in the home environment as well.  Most importantly, teach them in how to avoid Vishing, Smishing, and Robocall attacks.  Remember, Phishing attacks just don’t have to come in email.  It can also come in the form of a text message, an instant message on Facebook, or even in an In Mail on Linked In.

 

5)     Keep a central repository of available literature and resources that your employees can readily access.  Always be available if they have questions about any of the content.

 

6)     Keep an open lines of communication.  For instance, if your employee needs help with a suspected Phishing email in their personal account, a member of the IT Security team should be able to help out.  In this regard, even consider having a 24 X 7 X 365 hotline.  I have written about this before, and employees should feel free to call in after work hours if they have a problem.  Of course, this number should be used for work related Cyberthreats, and you don’t want your IT Security team to be inundated with personal issues.  So consider a rotation cycle where one member can handle only these kinds of calls from employees.

My Thoughts On This:

As I mentioned earlier in this blog, the lines of what is now personal and work related has literally vanished, given the fact that now everything is pretty much interconnected with another. Protecting employees has to go beyond the workplace and into their personal lives.  The CISO cannot treat employees as the weakest link in the security chain.

If they take the opposite view, then employees will realize that there are truly a valued resource.  If the levels of Cyber Hygiene improve at home, then there is a greater chance that will spill over also into the working world.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...