This is a guest post by Sophos security expert James Burchell.
James has appeared on Naked Security and Sophos News before, live in person in videos and podcasts. This is his first written article – we’re looking forward to his next!
October is National Cybersecurity Awareness Month (NCSAM) and this week’s theme is Cybersecurity in the workplace is everyone’s business.
Naked Security asked me what I’d do to make cybersecurity into a company-wide deal, rather than just relying on programmers and IT gurus to keep us all safe.
After all, even if we were able to write bug-free code and deploy it perfectly, cybersecurity would still be a massive problem, because one of the biggest risks to any organisation is a biological one – humans!
If you’re a techie or on the IT staff inside your company, you’ll know what I mean: you love users, yet you hate them; you call them
n00bs; you deal with
1d10t errors on a daily basis.
Nevertheless, you also have to acknowledge that they’re inside every network, amongst some of your organisation’s most closesly guarded secrets.
So, here’s how I see the problem.
In today’s world, every organisation can be considered a high-tech business.
Modern technology enables your business to reach more customers, and allows your humans to be more productive, though sometimes in a less controlled way than you might like.
The same technology, unfortunately, allows the Bad Guys to reach your business in a myriad of different ways, too.
Believe it or not, most of the actions performed by your humans are not done with malicious intent.
Alice didn’t mean to lose her laptop, Bob didn’t realise that he was sending that email to the wrong person and Charlie genuinely thought he received a parcel delivery notification from his courier.
Yet, after nearly 30 years of trying and billions of pounds in investment, we are still struggling with cybersecurity because we often fail to recognise that the issue is more than just a technical problem.
The human firewall
So rather than looking at your humans and wondering about what PEBKAC [*] issues you’ll have to deal with next, instead look at them as having the potential to be individual human firewalls.
Weaponise them with enough knowledge to recognise a potential attack on their human emotions, and instil trust in them that they won’t be cast to the lions if they accidentally click on a link suggested by a hoodie-wearing hacker who’s sitting on the other side of the world.
Do that, and you will have one of the best detection and remediation systems that money can buy.
Create awareness around the office.
Get buy-in from a senior member of the organisation and consider having a dedicated area on the intranet where people can ask questions or as a place where you can post useful hints and tips, such as where to find great free security tools for personal use. (Sophos Home would be a good suggestion!)
Once you’ve created awareness, the natural progression is to measure who within your organisation is susceptible to phishing attacks – this is something that a phishing simulation toolkit can help you to identify.
If staff fail your phishing tests, don’t call them out or embarrass them – give them personal counselling to help them improve, to reduce the chance they’ll fall for phishing tricks again, and to get them on your side so they are ready to report potential security problems in the future rather than to sweep them under the carpet and hope no one notices.
Don’t ignore a particular department or person just because they are too busy or seem too important – those are great reasons for a cybercriminal to target them specifically, so make sure they’re included in your awareness activities.
Don’t be grumpy and mean
You’ll also win friends and influence people if you take care to show that not everyone in IT is there to be grumpy and mean.
Why not find a way to reward people for identifying potential security issues, all the way from keeping an eye out for tailgaters trying to slip into the building, to reporting dodgy emails with suspicious links and attachments?
Consider something as simple as having a jar of sweets or chocolate in the IT area so that people want to come and talk about security.
Or enter everyone who contacts you with a concern or reports a potential security issue into a monthly raffle for a prize such as a gift voucher.
Build a security team of everyone
Just think of the malware scare when Charlie clicked on that phishing email, and the position you found yourself in running around to figure out what happened.
Is it better for Charlie to hide what he’s done, fearing reprisal or ridicule from the IT team, or for him to approach you quickly and warn you about what just happened?
The latter would certainly put you in a better position to respond…
…so putting humans into your threat and risk assessments and creating a culture of security will put you and your business in a great position to face whatever comes next.
At the end of the day, every employee should be a part of the security team.
[*] PEBKAC = Problem Exists Between Keyboard And Chair.