Protecting Your People Creates a Security Advantage

October 27, 2022 / Neil / personnel security

We’re used to hearing about people being the biggest threat to your security, usually just after a breach where some poor employee takes the blame.  Whether it’s accidentally clicking on malicious attachments, holding doors open for intruders or giving up their password for a chocolate bar, there’s no doubt that personnel do present a risk to your business.  But they are also your biggest asset – after all, without people, no business would exist. Demonstrating your committment and that of your people to security can bring other benefits, such as lower compliance costs, a simpler audit process, and lower cyber insurance premiums as well as benefits to your brand.  Educating your people about security has benefits beyond their work life and helps them protect themselves outwith the workplace.

In this post, I’m going to give you some ideas about how you can protect your people (and by extension, your customers) and turn that investment into a security advantage making compliance easier, reducing insurance premiums and reducing the risk of a catastrophic cyber attack on your business.

Policies and Processes

Let’s start off with something that doesn’t require any level of technology or procurement of additional services: policies and procedures.  Whilst many of us tech-enthusiasts would rather eat a bowl of lead-based paint than spend time documenting policies and procedures, they are a critical way of communicating with your people and setting baselines for how you want them to behave with regard to security. These can range from the organisational security policy signed off by the board, to specific policies around sensitive platforms. Employees expect and need guidance on what is expected of them in protecting themselves, the business’ data, and technology.  Whilst they don’t need to be complex (in fact, the simpler they are, the better) it is key that they are well understood and tested; effective communication of your existing security policies and procedures is the single biggest way to improve the security performance of your business.

Ensuring your people know what’s expected of them and how to react to incidents can be the difference between a major breach leading to fines that put you out of business, an effective ransomware attack that cripples your infrastructure, or the elimination of such threats before they can get out of hand.  Make your policies easy to read, and link them to relevant procedures.  Since this is a critical step in ensuring compliance with many frameworks and certifications, this is also a key task in any compliance projects.

Training and Awareness

Whilst it’s certainlty true that people can represent a weak link in the security chain, we have to recognise that people make mistakes, and that no-one is infallible.  Have you ever failed a phising test at work (or worse, an actual phishing attempt at home)?  I certainly have, and given the level of sophistication and persistence that phishers are able to bring to their campaigns I think we can all sympathise with those who are caught out by them.  We can reduce the risk of this happening by combining technology and training to help people spot phishing attempts when they get through other defences.  So far, so standard.  Many organisations carry out mandatory security awareness training, which is a start.  It’s important, however, not to stop there.  Security Awareness Training is most effective when it’s engaging and tailored to your environment.  Training should be backed up by targetted phishing and threat emulation that teaches people what to look out for and gives you measurable data on how the organisation is improving its security awareness.  The flip side of this is that technical, risk and security teams then have to get involved in developing training and testing regimes internally, which can be a laborious and time consuming process. To reduce this load, many organisations pick up training off the shelf, making it tedious and uninspiring for users, lowering the training’s value, and training users to view security as a boring hurdle to be overcome.

A better way is to use a service that gets you the best of both worlds – hands off management with the capability to tailor it to your environment.

But what else can be done to enhance the security of employees and customers?

Monitoring Data Breaches

Even though the perimeter within most organisations is disappearing before our eyes, it is important to recognise the difference between data that we control (broadly speaking, we could say this exists within our perimeter) and data that belongs to us, but is outwith our control, and therefore outwith our perimeter.  Businesses collect a lot of data about employees, associates, customers and suppliers and the exposure of that data to malicious actors compromises not only your business but also your people. Data breaches that are sold online often include credentials across multiple breached sites, and can be linked to Open Source Intelligence (OSINT) to allow attackers to try credential stuffing attacks against business infrastructure.

By monitoring for the presence of employee data within data breaches, you can not only protect your business, but also help protect your people.  Let’s have an example

Bob’s password reuse habit is going to cost him, and his employer.

Alice and Bob work for ACME Enterprises and both were included in the Compilation of Many Breaches dump, which is easily accessible online.  Although Alice has been paying attention to their Security Awareness Training and has been practising good password hygiene, Bob has not.  Our villain, Eve, has downloaded the dump and notices that Bob’s company email address and a password are included in the dump.  Although the dump doesn’t include data directly from Bob’s employer, he used his corporate email address to register on a site that was breached.  Sadly, he re-used the same password that he used for his company’s M365 tenant.  Eve uses the dump to try logging in to M365 with Bob’s and Alice’s credentials, only gaining access to Bob’s account, but they also try logging into a series of common services using those same credentials.  Sadly for Bob, he was re-using the same password on his bank account…

If Bob’s employer was scanning for breaches that include credentials for their systems, they could not only avoid the breach that Bob’s activity caused, but they could also help Bob avoid getting his bank account from being ransacked by warning them that they were included in a breach.  Bob could then spend many happy hours changing passwords on all the sites he reused the password on, and hopefully learn a valuable lesson for the future.  In this way, security technology is helping to secure the business, but also helping to protect its people, strengthening the security of both as a result.

Defending Mobile Devices

I think that we are all aware that most people now use mobile devices as a key working technology.  The Covid19 lockdowns accelerated the trend towards more mobile working, but now we all spend time doing work on phones and tablets, as well as laptops and traditional desktops.  While we take a lot of care to protect traditional endpoints with anti-malware, host-based firewalls, EDR, etc. we seem to worry less about the mobile devices, trusting in the integrity of app stores and the relative security of mobile OSes.  The trouble is that we know this isn’t enough.  It turns out that mobile devices are just as vulnerable to attacks as traditional endpoints, and worse, some of the vulnerabilities don’t even require user interaction – that is, a mobile can be compromised without the user having to do anything at all.  Mobiles also open other avenues for more basic phishing attacks through (the terribly named) smishing – phishing via SMS or text, and vishing – voice call phishing.

This is a classic opportunity to deploy technology that helps your people to protect themselves.  By deploying Mobile Threat Defence, you can reduce the risk of your employees’ mobile devices – whether corporate or BYOD – being compromised through zero-click attacks and can help them to defend themselves against smishing attacks.

Last but not Least

Once you have improved the defence of your people, then you can turn to securing your infrastructure and making your business more resilient to technological threats.  Implementing things like Security Monitoring, SASE, Zero Trust and EDR will also improve your people’s security, and reduce the impact of any lapse on the part of your employees, suppliers and customers.