Information Security is regarded at the highest level, and organisations invest heavily towards facilitating this goal. We may plug every potential egress point, but often ignore the basics, i.e. handlers /stakeholders of our data. Insentra is a key partner for various organisations driving the implementation of Information Security, but we strongly recommend they complement these efforts further, through an internal employee engagement program. I would like to talk more about this, with examples.
Somebody starts their regular day at office and sees a genuine looking email asking for account verification. In their instinct they click the link, enter credentials and here goes a silent ‘kaboom!!’. The worst part is that the concerned individual may not even realise they have been phished, while the attacker is busy sneaking away with confidential information. A more popular example of recent attacks is ransomware, where the attacker has complete control of your data and the only way you regain control is to pay up. Another example is unintentional data loss where an employee copies confidential information to a USB disk for work, which could be vulnerable in so many ways.
Why should we care about these problems, when we have solutions like Anti-Spam, Anti Malware, Data Loss Prevention etc in place? Why do we still hear about Information Security incidents?
The reason we still see threats is because security solutions are designed for risk reduction and are not meant for risk elimination. It is imperative that we actively engage and educate employees on the latest threat landscape, thus recruiting them as partners into the risk reduction strategy. Below are few examples for engaging employees in an Information Security program:
- An ideal starting point is conducting internal Information Security training on a periodic basis. This helps increase awareness around the various threats which exist, and ways to circumvent them. This may involve aspects including, but not limited to the below:
- What is a phishing attack, ransomware, impact of data loss etc?
- How do we validate an email sender is genuine (display names vs the underlying email address may be deceiving)?
- Is a specific web URL genuine and safe?
- Does a hyperlink in an email direct you to the showcased website?
- Safety of using Public Wi-Fi, and validating HTTPS certificates for authenticity
- Conduct a periodic Information Security quiz, thus ensuring that all employees are up to date
- Communicate with your employees and understand their pain points. An Information Security process is likely to fail if employees find it inconvenient and painful to adopt. Sometimes this simply involves educating them about the process, e.g. using Box instead of USB for secure file transfers.
- I have seen companies conduct internal phishing attacks, where employees receive an email which looks legit. Some employees fall for this but are later counselled with the required knowledge thus preventing similar incidents in future. This is a great approach, as it is targeted towards employees who are unaware of these threats.
- Another interesting and fun story is how my manager pranked an innocent colleague, by sending out an email to ‘Everyone’ from an unlocked system. While this triggered some interesting responses (including one from me ?), it also raised awareness on the importance of locking our systems.
We cannot control every risk but can certainly optimise our risk reduction measures further. Engaging employees into our Information Security strategy, is the right direction for any organisation.
