October is National Cybersecurity Awareness Month (NCSAM) and this week’s theme is Cybersecurity in the workplace is everyone’s business.
Naked Security asked me what I’d do to make cybersecurity into a company-wide deal, rather than just relying on programmers and IT gurus to keep us all safe.
After all, even if we were able to write bug-free code and deploy it perfectly, cybersecurity would still be a massive problem, because one of the biggest risks to any organisation is a biological one – humans!
If you’re a techie or on the IT staff inside your company, you’ll know what I mean: you love users, yet you hate them; you call them n00bs; you deal with 1d10t errors on a daily basis.
Nevertheless, you also have to acknowledge that they’re inside every network, amongst some of your organisation’s most closely guarded secrets.
So, here’s how I see the problem.
In today’s world, every organisation can be considered a high-tech business.
Modern technology enables your business to reach more customers, and allows your humans to be more productive, though sometimes in a less controlled way than you might like.
The same technology, unfortunately, allows the Bad Guys to reach your business in a myriad of different ways, too.
Believe it or not, most of the actions performed by your humans are not done with malicious intent.
Alice didn’t mean to lose her laptop, Bob didn’t realise that he was sending that email to the wrong person and Charlie genuinely thought he received a parcel delivery notification from his courier.
Yet, after nearly 30 years of trying and billions of pounds in investment, we are still struggling with cybersecurity because we often fail to recognise that the issue is more than just a technical problem.
The human firewall
So rather than looking at your humans and wondering about what PEBKAC [*] issues you’ll have to deal with next, instead look at them as having the potential to be individual human firewalls.
Weaponise them with enough knowledge to recognise a potential attack on their human emotions, and instil trust in them that they won’t be cast to the lions if they accidentally click on a link suggested by a hoodie-wearing hacker who’s sitting on the other side of the world.
Do that, and you will have one of the best detection and remediation systems that money can buy.
Create awareness
Create awareness around the office.
Get buy-in from a senior member of the organisation and consider having a dedicated area on the intranet where people can ask questions or as a place where you can post useful hints and tips, such as where to find great free security tools for personal use. (Sophos Home would be a good suggestion!)
Once you’ve created awareness, the natural progression is to measure who within your organisation is susceptible to phishing attacks – this is something that a phishing simulation toolkit can help you to identify.
If staff fail your phishing tests, don’t call them out or embarrass them – give them personal counselling to help them improve, to reduce the chance they’ll fall for phishing tricks again, and to get them on your side so they are ready to report potential security problems in the future rather than to sweep them under the carpet and hope no one notices.
Don’t ignore a particular department or person just because they are too busy or seem too important – those are great reasons for a cybercriminal to target them specifically, so make sure they’re included in your awareness activities.
Don’t be grumpy and mean
You’ll also win friends and influence people if you take care to show that not everyone in IT is there to be grumpy and mean.
Why not find a way to reward people for identifying potential security issues, all the way from keeping an eye out for tailgaters trying to slip into the building, to reporting dodgy emails with suspicious links and attachments?
Consider something as simple as having a jar of sweets or chocolate in the IT area so that people want to come and talk about security.
Or enter everyone who contacts you with a concern or reports a potential security issue into a monthly raffle for a prize such as a gift voucher.
Build a security team of everyone
Just think of the malware scare when Charlie clicked on that phishing email, and the position you found yourself in running around to figure out what happened.
Is it better for Charlie to hide what he’s done, fearing reprisal or ridicule from the IT team, or for him to approach you quickly and warn you about what just happened?
The latter would certainly put you in a better position to respond…
…so putting humans into your threat and risk assessments and creating a culture of security will put you and your business in a great position to face whatever comes next.
At the end of the day, every employee should be a part of the security team.
[*] PEBKAC = Problem Exists Between Keyboard And Chair.
Jonathan Plopurde
It not 1d10t it’s ID10T, enough said.
Mahhn
From the down votes on your comment I suspect it’s known differently on the opposite sides of the pond. I’ve always known it as “id”. I guess in the UK it’s known as 1d.
Well, Wikipedia says it’s an Army, Navy thing:
The navy pronounces ID10T as “eye dee ten tango”.
The army pronounces 1D10T as “one delta ten tango”.
Paul Ducklin
I think the downvotes are from people who either [a] didn’t realise it was a joke or [b] did realise it wasn’t a joke.
Philip Le Riche @pleriche
I’ve been saying for many years that the first rule of security is don’t hack off your users. That’s why I was so glad at the recent recognition of the futility of regular password changes. And the no-blame culture in the aircraft industry is the main reason why accidents are so incredibly rare, yet it has been adopted in few other fields.
ejhonda
We’ve tried implementing an intense user training campaign (phishing test campaigns, targeted follow up training), and yet while we’re better off and awareness has increased dramatically, we’re a long way from getting secure. It sounds good – “train them to recognize threats” – but the reality of it is a much harder slog.
Vog Bedrog
The reality of it is that users often simply don’t care – at least not enough to learn to be conscious of all the things we’d like them to be conscious of. Computers are still magical devices to far too many, and the technical stuff going on in the background gives them too much of a headache to consider engaging. I agree with not treating people like idiots, but think the answer might still lie in making the infrastructure idiot-proof (secure-by-design, segmented, appropriate encryption, etc.)
Simon McAllister
Knowledge really works, so share it. Users need confidence. Remove or dampen down the complexity and you get them on board more. And I find that small, regular bursts of awareness sent in emails that contain links to an Intranet Cyber Security Awareness page/portal (to gather this info for reference and simplify induction processes for new users), helps my users understand better about ‘what’ risks exists and ‘why’ they should stay vigilant. Upper management tend not to pay as much attention until they are given a monetary value of potential impact.
PEBKAC I’ve never heard of. But PICNIC (Problem In Chair Not In Computer) is one I am familiar with – I don’t use that in front of my teams though :D
nate009
Users don’t pay attention to what you tell them, it sounds good in theory.
Paul Ducklin
Like a joke…
…it depends on how you tell it :-)
In my time in cybersecurity I have met plenty of users who genuinely didn’t care, who were happy to be a liability, and who refused to make the effort you would reasonably expect. But I will go out on a limb here and say that I have met many more so-called experts who genuinely couldn’t explain what they thought they could, and who were surprised when users couldn’t figure out what they were saying *even by paying attention*. (After a while, you stop bothering to pay attention, as a sort of workflow optimisation.)
In short: there are bad students, and poor teachers. All other things being equal, good teachers improve bad students more than good students improve poor teachers. That’s my 2c.
FreedomISaMYTH
this is the wrong attitude and a false perception of IT admins
David Skingley
I like PEBCAK but prefer PICNIC error..Problem In Chair Not In Computer :-)