Victims, Not Muppets

If we are being really honest, most of us in the security industry have rolled our eyes when we heard of something a user has done – probably adding some choice phrase about their general competence.  

In calmer, more reflective moments, we may also think about what is arrayed at them – especially on the topic of phishing. Your employees are at the sharp end of a multi-million (possibly billion) dollar crime wave. Think of all the effort your organisations put into marketing – getting that hook with a prospect for them to connect. Cybercriminals can be every bit as sophisticated as you. General ‘spray and pray’ emails are generally filtered out by corporates or quickly spotted by employees (and hopefully reported… read my 3^rd blog). However, when we get into the realm of more targeted attacks – focusing on industry, organisation and roles – it gets much harder. Your employees are now pitted against performance-driven, metric-rich advisories.  

Your finance team will expect invoices; your legal team will expect documents to be signed, and your HR teams will expect CVs. This ‘preconditioning’ is actively exploited. Bleed in a little injudicious over exposure on LinkedIn and it really isn’t all that challenging to sound convincing. 

Where am I going with this? It is subtle, but I think important. If we move to thinking of ourselves as targets and potential victims, we shift from an additional burden of ‘here are things you must do’ to ‘here are things to help, here’s what to do if you aren’t sure, here’s what to do if you think you may have made a mistake’. It may sound like dollar store psychology, but the whole thread in this series has been engaging with the human being your employee is. I’ll let you Google around the topic yourself. You will find an increasing corpus of research. 

While thinking of our employees with a more supportive mindset, let’s also take a moment to think about another domain where they may personally be a the most risk – at home. ‘Safe at home’ and ‘Safe at work’ are mutually supportive. A focus on being vigilant for phishing and spotting the unusual is core in both environments. At home, though, your employees will be the administrator of their own systems and settings. A nod to how to secure their personal systems would be well received – bite-size ‘how to’ guides would be a good approach – on some core topics such as; 

• Good password management and using a password manager to help. 

• Enabling MFA on systems that support it – and how to have a backup route to recover accounts. 

• Ensuring operating systems and applications are up to date – set to auto-update wherever possible. 

• Having a backup of important data – preferably on a different device or cloud service than the primary one and ensuring it is secure. 

• Ensure anti-malware is installed, running and up to date – yes, even you Mac users! 

Some organisations licencing allows them to offer programmes and applications to employees – check to see what you can do here, as working with familiar tools will be easier. 

No security control is 100% effective. Anyone who says they are needs to be taken aside for a quiet chat. We are used to building layered defences and compensating controls. One of the more palatable security triads is PDR. Prevention, Detection, and Reaction. I’ll steer clear of the tired analogies of banks, safes, alarms, and the police. The important thing to recognise is that an effective (and frankly affordable) approach is to balance your capabilities across the areas. We have been doing this for years in security.  

I see very few articulations of that triad in employee awareness. Educate and inform: This is how we design security; this can be your part to play; this is how we can help. 

Some security types will talk about making your employees ‘security superheroes’ or ‘evangelists’. To be honest, I give them a wide berth at trade shows and conferences. Making security threats understood and security controls tolerated is a much sounder target and more likely to have a permanent effect on behaviour. 

So, in summarising this series of blogs around awareness, I again reflect on ‘engaging with the human being that is your employee.’ 

• Provide relevance and context to your industry, company, and roles within them. 

• Define weird; help your colleagues understand what unusual looks like 

• Make reporting simple – discussion beats a form any day of the week – and make it seem worthwhile and ‘how we do things here.’ 

• Recognise that your employees are targeted by well-motivated and resourced criminals. Show support and direction, not just a compliance requirement from a policy. 

• Help them be safer at home. 

Above all, ensure your employees know their actions can have real impacts in preventing security incidents.  

I hope this gives you pause for thought and an opportunity to reflect on the programmes you are running or experiencing. If you need a strapline… 

Be aware, be observant, and be vocal.