Stepping up to your personal security role
Close your eyes and try to conjure an image or scenario in your mind around the phrase "cybersecurity incident". When you do so, what picture starts to form in your mind? Depending on your background and level of expertise, the image generated by your frontal cortex could very well be completely different from what's imagined by someone else. Yet security is a responsibility that we all share, even though opinions may differ from one person to the next.
An individual with no formal experience in the technology industry might imagine a cyber security incident as a very smart individual with very impressive computer skills gaining access to a company's servers by moving between 3D buildings with light-pulses flashing around, accompanied in the background by a techno soundtrack that would've been quite catchy in the 90s. If the image in your mind resembles that, I'll blame Hollywood, because cyberattacks are not like that at all. Don't get me wrong, the 1995 film "Hackers" (which stars Jonny Lee Miller and a much younger Angelina Jolie) is a cult classic, and a lot of fun. But in the real world, most hacks are not that sophisticated, and they're not even fun.
For readers with experience in IT, what I'm about to say won't be surprising at all. But if you haven't worked in the IT field, then my observations will be downright shocking. Sometimes, what seems like a sophisticated hack (as the media might portray it) was just a simple phone call. That's it. No fancy visuals designed on SGI workstations.
Yet we do have our fair share of bad actors - though in the industry, we refer to these individuals as "threat actors," and they're way worse than the bad acting we might see in Hollywood hacker movies (no offense Angelina, you were new at the time).
In the real world, when a threat actor gains access to an unauthorized system, it might have played out as a simple phone call to someone within a company. Perhaps that person claimed to be someone in the company's IT department, asking employees for their password. All it would take is for one person to reveal their password and the company is all over the news (for the wrong reasons).
But to be fair, technology is a huge topic. It consists of many different disciplines and mastering this field can take decades. Thankfully, good security hygiene doesn't require you to become a tech guru. And it doesn't matter what your current job role happens to be: Security is important. And you should absolutely be paying attention to it.
In many organizations, there's unfortunately a divide between IT staff and other employees. This divide doesn't have to exist, but it’s found in many organizations depending on their cultures. And it's this divide that can hurt the most. But in order to keep ourselves secure, we really do need to all be on the same page; part of the same team.
For non-technologists, navigating the world of computing can be frustrating. Users are asked to change their passwords regularly, are urged not to repeat the same password on each service, and have to use multi-factor authentication to further protect accounts. For IT professionals, these things are the norm. For everyone else, such policies are a nuisance. Why can't the IT team just make all of the organization's servers 100% invincible? Why constantly inconvenience users?
Often, your typical employee wants to get their job done - and they're not so enthusiastic about opening Google Authenticator for the fifth time in a single working day. The thing is - security is not simple, even if some of the recommended practices often are.
When it comes to those of us working in the field, inconveniencing users is the last thing we want to do. But to many, that's how it may seem. In reality, those of us working on our company's servers want the same things everyone else does - we want to have as stress-free a job as we possibly can. Like others, we want to get our job done and maybe (just maybe) get out of work on time to catch that new superhero movie everyone is talking about.
But here's the thing - security is important to everyone. Or at least it should be. Taking security seriously might be the only reason your company still exists. Does that sound overly dramatic? Well, it kind of is - but it's still correct. All it takes is a single cyber security incident to harm the reputation of your entire organization. And if that happens, profits plummet, and I'm sure you know the rest.
In 2020, Twitter became the victim of a cyber attack. According to the Verge, Twitter revealed that "a few employees were targeted in a phone spear phishing attack." This means that the cyber attack wasn't the result of some 19 year-old computer mastermind cracking codes; the threat actors only needed to pick up the phone.
Yes, they made a series of phone calls. And unlike how security incidents are portrayed in the movies, it's not exciting or entertaining at all. Considering how many attacks begin from a simple phone call or email message, a threat actor doesn't have to be a computer expert to gain access to protected systems. They'll simply pick up the phone and ask for someone's password. And after that, chaos unfolds.
The Twitter example that I mentioned earlier is one of many. While yes, there are threat actors with incredible computer skills taking advantage of unpatched vulnerabilities, many security incidents begin with simple tricks played on well-meaning staff, a hack known as social engineering.
Due to this, security is everyone's responsibility, regardless of their role within a company. The security of an organization is only as strong as the weakest link. All it takes is for one person to click on a malicious link or believe a very convincing (yet completely bogus) phone call is real.
Okay, so what's the solution?
The answer is education. Education empowers everyone, and without end-users being properly trained, the likelihood that someone may fall for a social engineering attack is higher than you might think. And it's only going to get worse from here.
As complicated as the IT industry can sometimes be, if we educate our users we will be better protected. Security training within an organization should be taken very seriously. Teach your team members how to handle the various types of security threats they might face.
For those readers who do work in the IT field, pay special attention to the message. Don't just teach your colleagues what to do in the face of an uncertain situation: Let them know why it's important. Rather than communicating the password policy alone, let everyone know why it exists in the first place. During security trainings, give people actual real-world examples to help illustrate how real cyber security incidents are, and how they actually happen. If you perform an internet search for something like "cyber security breach," the search will return all the results you may need; news articles centered on actual companies that became victims.
Perhaps others within your company may be more eager to follow the password policy if you give them an example of what can happen when there isn't one. In addition, throw in an example of what an organization may have gone through when someone clicked on a link within an email message they thought for sure was actually real.
In short, don't just communicate your company's policies; let everyone know why they exist. And perhaps more importantly, let them know what can happen when they don't.
In order to protect our livelihood, we need to be on the same team. Security hygiene is a responsibility we all share.
Source for the Twitter incident I mentioned above: