We have all been reminded over the years of the perils of making assumptions, and how it “makes an ass out of you and me” to ASS/U/ME. Yet when it comes to security education and awareness for our employees and colleagues, we assume that because they are the most talented accountant, doctor, lawyer, engineer, writer, marketing guru, or executive, they have that same prowess in keeping company data secure as they do in their specialty.
And with this assumption, we watch breach after breach occur as data goes missing, is stolen, or otherwise is left in an unsecure manner.
Not by a long shot.
Security is not always convenient, yet convenience trumps security with great regularity.
For the past 20 years, the security industry has been preaching trade secret protection. The challenge from foreign governments and unscrupulous competitors scraping the internet for your company’s trade secrets was a reality then, as it is today. More than one super-sized company has seen their trade secret protection evaporated because an employee spoke of their “super-secret” work in a public presentation, or posted it on a social network.
In fact, Naomi Fine, CEO of Pro-Tec Data, was quoted way back in 1997 advising companies that “someone should review all speeches and public pronouncements, especially ones made by scientists or others aglow with the pride of discovery. Press releases should be screened by product managers.”
Golden advice in 1997, priceless advice in 2017.
And then the dawn of social media came and illuminated all industries. We’ve seen private or secret groups formed on various social media networks to facilitate (for example) the internal coordination or processing of healthcare claims, because internal tools were inadequate or antiquated. Third party collaboration tools brought into play by employees without the knowledge or collaboration of IT leads or departments. Information was and is still flying about, under the radar, in a totally unregulated and uncontrolled fashion.
We know, intellectually, that what we post is available for all to read, yet we use apps which highlight and publicly share our geolocation. But if an employee is not actively dissuaded from sharing their locale and work travel plans for reasons of combating competitive intelligence collection, one should not expect them to “just know” to keep it private.
Similarly, employees want to keep their professional persona up-to-date on LinkedIn or other professional social networks. This updating may include posting presentations, work examples, team size, budget, etc. for which the employee contributed, or is responsible. All of which is easily accessible to our competitors, and to those who wish to do us harm.
As a prime example - a well-meaning physician who created a website to educate his patients, but failed to secure the website to his hospital’s standards, putting all 5,511 of his patient’s electronic health records at risk.
Many companies just assume their employees know best security practices, and thus are surprised every time when their employees do dumb things. Security briefings on making decisions involving data, and more importantly, providing directions on where to go for assistance in making those decisions, should be part of every new employee orientation.
Additionally, the employee should be afforded the same briefings via online internal archives and in their introductory discussions with their immediate supervisor. Why three times? Three times builds muscle memory. They may not remember the exact details, but they will remember where the resources are located to triage through security challenges.
The company should follow-up with regular reminders. Be sure to include examples occurring within your own industry which “could” happen to you and your company. The more personal the message, the more resonance it carries. Roll out worst case examples, which detail how events occurred.
For example, has your switchboard been socially engineered out of the company’s directory? Have employees been spoofed to other employees and data shared via non-corporate, “personal” email accounts because the imposter doesn’t have genuine access? Explain how electronic documents must be protectively labeled and why classification watermarks or other such markings are so important.
Employees want to make the right decisions. You need to equip them so they may do so.
About Christopher Burgess
About Christopher Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher served 30+ years within the Central Intelligence Agency. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, Secrets Stolen, Fortunes Lost - Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008).