A key mantra should be that everyone within an organisation has a cybersecurity responsibility and that is regardless of whether you are somebody in an administrative or ‘non-typical’ security role or whether you are responsible for looking after the most critical piece of infrastructure within an organisation.
This becomes even more poignant in today’s environment where we’ve gone from an organisation having 10, 20 or 100 offices, depending on sizes of enterprise, to maintaining 2000 to 20,000 offices due to the now distributed workforce. Add to that the convergence of individual’s day-to-day lives with their business lives where people are using their personal devices to work and their business laptops to do personal tasks and its clear to see how the security landscape becomes more difficult to manage for defenders and easier to infiltrate for adversaries.
From a consumer perspective I think one important point to relay is that we often treat our online world like it’s a safe place. We are comfortable using social platforms like Facebook and Twitter and people are becoming better and more aware that there are consequences to our actions i.e. we understand that we can’t say or do certain things because there are consequences, we understand that we can’t share certain photos because there are consequences but I don’t think people have yet put those pieces together when it comes to data. We don’t realise how quickly the links can be made between certain bits and pieces of data that we share willingly that can ultimately leave us exposed. For example, you will often see online competitions to win electronic goods which require people to give a good amount of personal information that may or may not come back to haunt them. Now, I don’t think we have to employ a ‘zero trust’ mindset online in our personal lives, but I do think people need to pay attention and think twice before sharing their personal data.
Blurring of the lines can cause data privacy issues.
When we think about bad actors, we recognise that the merging of people’s personal and business lives has created a landscape of opportunity for nefarious activity. We’ve even seen new phishing attacks where the adversary, knowledgeable of the fact that individuals are switching between actioning work emails and personal emails simultaneously are starting to target personal mailboxes with phishing links asking people to input their business email address. That’s why it’s so important to take the security responsibility mindset that people have in their business life through to their personal life maintaining that security posture to protect the organisation they working for and themselves.
Continued training and testing is paramount in the battle to keep data safe.
One of the most tried and tested strategies and overall successful ways in helping people to stay data safe is continued training and testing. This is where organisations send out intentionally nefarious emails to see if they can ‘catch out’ their employees by asking them to click on a link and enter personal details. This could be phoney competition or prize, but a key requisite is to make the email as personal as possible. If an employee does fall foul of the attempt then the organisation can implement additional training to ensure they remain data safe in the future.
It is critical with this sort of training that the scenarios are constantly changing and the cadence of emails is sporadic throughout the year. If there is too much of a regular cadence then the employees will start to become familiar with them and the testing loses its validity.
Empowering people to become data champions is critical for success.
A good tactic to employ to keep people’s data safe is to empower individuals with the responsibility to become a champion of their own data. This starts with the organisation putting their own protocols in place, whether that be encrypting emails which contain certain information or tagging different documents dependent on their classification. This is then followed up with the necessary training to make individuals feel responsible without feeling vulnerable. It’s all about providing people with the tools, assets and resource they need to do their jobs safely and then empowering them with the knowledge and responsibility to do so.
Taking this one step further it’s important that you communicate to your employees that you aren’t just training them for the purposes of protecting the organisation but also to help them in their personal lives, especially with the lines between the two blurring more and more each day.
And through this empowerment there is an even broader context of the understanding that they’re empowered, they understand the simple steps to becoming data safe and can go on and empower other people not only within the organisation but also their personal lives making them a champion of the organisation and their own communities.