Click Happy Employees. Biggest of Insider Threat!

There are only two universal facts of the "End User World" of an enterprise digital infrastructure, and they are...

1. Lot of employees have heard about mail or browsing based threats (its hard to find one who hasn't)
2. Most employees still click on that link or that damn document in the mail, without a second thought

Here is an attempt to outline the reasons of, "Why employees can't display Cyber Safe Behavior"

Employees' " Action and Response" in IT and cyber world, knowingly or else unknowingly, can either protect organization's information and assets or else can wreck a havoc on security.

Most organizations pay an exceptional attention to adoption of 'tools & technologies' to protect themselves against potential threats in the world of IT, but fail miserably, when it comes to equipping their employees with real knowledge about 'threats', 'security precautions' & 'damage their response or lack of response could cause'.

This happens despite the fact that almost every organization arranges for some training on security awareness for their employees one or other time.

More than 60% of events are non-hacking related, and, are result of employee behaviors!

And, a lot of them are from click happy employees!

What Employees Need to be Aware of..!

Employees in org need to be aware of certain scenarios and situations, in which, their actions should be based on their knowledge and judgement. Here is a list of things "All Employees" should be definitely aware of..

1. Using discretion in opening a document, which came from a mail ID out of their corporate domain
2. Paying attention to a URL flagged as dangerous by either the search tool or by filtering tool deployed within enterprise
3. Not clicking on a URL which came in embedded within a mail from an external source, unless it is a well known one
4. Not turning off their scans at endpoint and not disabling the endpoint agent of whatever security products are installed
5. Avoid getting trapped into social conversations, which lead to something related to work or profession without clear reason
6. Stay away from posting any corporate content on any social or professional network without explicit permission of company
7. Avoid using any external or cloud based backup tools/platforms to take back of their endpoint data without explicit permission
8. Copying anything to removable media only when organization allows that specific content to be copied to such media
9. Sending mails to external sources with company related information and being aware about what is allowed and what is not
10. Good understanding of confidentiality policy of company and knowing how to respect and adhere to it
11. Understanding threat vectors such as fishing, social engineering, viruses, malware and keeping themselves updated the risk they pose
12. Taking precautions in doing a login to corporate network from external networks and internet connections
13. Understanding printing policy of the organization and adhering to the norms of using and destroying the printed copies of confidential material
14. Knowing internet policies of organization, and, adhering to the type of sites which one visits during his presence in office
15. Observing anomaly in the behavior of an external application, which employee use, and reporting it to internal management
16. ......

Some or all of these are commonly known things and one would presume that all employees would already know it.

'True' and 'Not True'. The issue is not about employees knowing it. The issue is about employees being aware of the risk it poses, when they are not careful in 'Actioning & Responding' to one of the above mentioned scenarios.

" 1,200 respondents surveyed for the report 40 percent of Gen Y respondents are likely to pick up a USB storage device found in public, compared to just 9 percent of Baby Boomers "

Measures to be Taken.. -->

Organizations need to think about the 'security awareness' differently than what they think about training. Security awareness in employees need to be done at much deeper level than a usual training on domain or any other managerial skill. Here are some things, which organizations should do..

Security Aware Program.. Not a Training!

Security awareness is a program and not a training. Training is only one element of an overall security awareness program. Design a security awareness program which makes sense for your kind of organization, given the segment and environ you operate in. The program should have multitude of recurring activities, along regular training on security. Frequency and element of this program should be in alignment to threats and exposure your company is subjected to.

Sign up for Security Content.. Third Party!

Arrange for regular security awareness and security news content, by signing up with some third party security vendor. This content should be dispatched to the employees on a regular basis with a feedback on, 'if employee read it'

Arrange for Security Awareness Assessment.. Every Quarter!

Humans are capable of an incredible memory, and, then they are capable of 'legendary loss of memory', when it comes to non-contextual & non-interest topics and areas. Security awareness is such an area. People are likely to know stuff, but, still forget about taking precaution when it comes to taking an action or responding to a situation.

One of the most effective cure for this, is to conduct regular security awareness assessment and surveys. Keep it quarterly, and, make it mandatory.

To make it even more effective, design certifications on security awareness, &, have people take the certifications and display them on their desk.

Make Security a Culture.. Protection a Habit!

People in organization are more likely to 'do the correct thing', based on their security awareness, if they adopt it culturally. People place significance on some aspect of their work environment when everyone in the group is sincere about it. Inculcate a culture of being secure in your organization, and, let people take pride in it. The spread of this culture will ensure people intrinsically do the right thing and stay secure.

Have Security Expert Talk to People..Really!

A lot of time, people have a completely different sense of understanding and agreement, when a domain expert, which comes from outside world, is talking to them. Ask a security expert come to your organization and have him deliver a speech on perils of not adopting secure ways of working.

An aware employee is secure.

And, he makes the company secure!

Rajeev Shukla has worked as Cto for 2 decades providing Orchestrated cyber security services.