DO IT FOR THE CULTURE… A SECURE CULTURE
Developing an internal fortress using basic security protocols.
SPAM. SPOOFING. PHISHING. HACKING. We all have heard the terms but what do they really mean and why do we know and see them all too often? Let’s begin with some summarized explanations. SPAM basically means receipt of mail that wasn’t needed or expected, usually advertisements or cold sales messaging or junk mail. SPOOFING basically means an account has been cloned or accessed from a source other than the assigned user and that person’s email or other tools have been compromised in order to “act as” that original user. It is commonly seen in cases where email CONTACTS are accessed by a spoofed account and tons of email are sent out to those contacts asking for INVOICE verification or some variation of requesting input. PHISHING can be described as ATTEMPTS to gain information from a user by requesting action to a link or attachment. They are often paired with SPOOFED email accounts but can also be embedded in SPAM messaging. HACKING is the culmination of all forms of social engineering but directly associated with control of a source, account, device or network.
Now that we’ve cleared that up. Why do we see or hear these terms so often, especially in business environments that are supposed to be secure? The answer is CULTURE. Yes, a simple idea, culture. Not some complex technical ideology, simply culture. See, all the understanding of technology in the world cannot substitute for a solid security culture in the workplace. This means everyone from the night cleaning staff to the CEO understands the importance of keeping the business secured. Yes, everyone. Everyone in the business is a stakeholder in the success of the business. We all have the responsibility to ensure our personal and corporate security protocols are adhered to. If there is a gap in one area, the entire system is vulnerable.
#1 John is the new security guard at the corporate office. While standing his post at the front desk, a person walks in and says “I work on the 18th floor but left my badge at home. Not wanting to cause an issue with the well-dressed man with the briefcase, he badges him into the elevator up to the 18th floor. The man wasn’t an employee.
#2 The night cleaning staff may have hired a new staff member. That new temporary staff member walks by a desk and sees a password and account number on a “sticky note”. Out of curiosity, he/she records that info. The temp only worked one job and quit. Weeks later, someone has logged into OneDrive from an unknown device and has uncovered financial data including accounts and bank access codes.
#3 Susan is late for her son’s game and needs to wrap up the corporate financial report for 1st quarter before 5 pm. She leans over to Janet, a friend in the Sales department, and asks her to do her a favor. Susan gives Janet her login and Janet tried to complete the work. While working on the file, she accidentally erases an entry in an important spreadsheet but instead of undoing the erasure, she calls IT support got help.
#4 Jennifer takes her pc home during the COVID-19 outbreak. Her son, Jason is also working from home. Since Jason doesn’t have his own computer, she lets him use it to do his homework. However, Jason also uses it for some casual gaming and video downloads, some of which are downloaded from a peer-to-peer site.
All of these are really common scenarios. In scenario #1, the security guard is an important part of the first level of corporate security, PHYSICAL ACCESS. It’s his job to verify each and every person that should be in the building. That can be assisted through use of an access list or a badging system. A successful badging system will utilize an access list to detail where each person is authorized to enter and in cases where a person cannot access a specified level or area, they should request a SPONSOR to guide said access or ask a department manager or SPONSOR for change to their badge access. All of which would need business justification. In scenario #2, you’d be surprised who the real blame falls on. It’s actually the person that wrote important business data on a “sticky note”. We can’t always judge the character of an individual, although the cleaning company should do its part to vet each person they hire. However, the cleaning company may not be an internal part of the company infrastructure. Shockingly, the real blame lies on the person who sat at that desk. The best approach to how you keep your office or desk is the “rotating shift” methodology. In the “rotating shift” routine, a space is not just yours. Therefore, personalization and comfort of just leaving things around should be prohibited. Likewise, you should never write down codes or accounts and leave in an unsecured location. In scenario #3, Susan violated several rules of security. First, she asked someone outside of her department to handle a task that contained data that may have been only available to that department. Secondly, she shared her login information. Both are serious risks. Finally, in scenario #4, we get to an issue that we may encounter far too often during our current pandemic…sharing or inappropriate use of a corporate asset. It’s important to remember that a business issued device is intended primarily for business related use and you expose local and shared network data to the risk of hacking or data loss.
HOW TO FIX A CULTURE ISSUE
There are a few key factors needed in creating a truly secure culture in your corporate or personal home network environment. One, put the right tools in place. Every corporate or home network should have some form of FIREWALL security. This will guard what enters your network. Device security is the next layer. Make sure your computer has some form of antivirus/antimalware protection and/or local firewall software. The next layer is software security. Operating systems require normal updates to stay safeguarded against the outside world. Make a habit of checking in (although typically the task of your company IT administrator) for regular patching and updates. Consider these “inoculations” or “booster shots” to keep the bad bugs away. If you’re managing your own home network, simply run the Windows updates at least twice a month. Keep in mind, you can always set your PC or Mac to perform automatic updates. Here’s a good resource for Windows updates: https://support.microsoft.com/en-us/help/12373/windows-update-faq
Don’t worry Mac users, I didn’t forget about you. Yes, Macs require updates also. See the following link about Mac updates: https://support.apple.com/guide/mac-help/get-macos-updates-mchlpx1065/mac
Data classification is vital to how corporations keep information private and secure. This is the process of defining what the data is, where it belongs and who should have access. Likewise, user security is just as crucial as you can assign access rights to said data, resource locations and systems.
However, the most important factor in creating a secure culture in the workplace is…. drumroll, please… EDUCATION.
That’s right, education. Knowing is not good enough. Saying is not good enough. We must educate, educate and educate more on these practices repetitively. Socializing proper security culture is one of the key roles of any successful enterprise security team. Once all the tools, policies and restrictions are in place, each user needs to be reminded just how important it is that each person play their role in being an active part of keeping the business, and themselves safe.
Dwayne Thomas Coleman
CEO, Coleman Management & Consulting