a roadmap for a people-centric approach to security

In July of 2017, I published “What is at the Center” on the website Security Current.  I made the argument that even though risk, networks, data and compliance can all be the center of a security program, it really should be people.  At the time, I suggested “Start thinking about security as a way to keep the workforce safe.”  I’ve taken my own advice and with the help of my caring colleagues and peers, I think I can finally lay it out.

First of all, the mission has not changed.  Protect the data.  Protect the systems, the network and the information assets wherever they are.  It’s what you get up for in the morning and it is what keeps you up at night.   You do a lot of delegating to accomplish this on-going mission.  You delegate to all the various teams that have direct responsibility for security and you delegate to all your technical controls. 

Take a minute to think about those technical controls.  All told, the vendors who supply them spend millions of dollars every year to refine them, keep them current, improve and evolve them.  They will rightly tell you that they are trying to stay one step ahead of the hackers.  That’s why you pay them and that’s why they invest in their products.   You still most likely layer your controls for defense in depth.  For example, your secure email gateway, your endpoint protection product, your secure web gateway and your more traditional firewall might all have functionality to block malicious websites. 

Likewise, whether your team is all in-house or you outsource some security operations functions, you probably have dedicated specialists for whom security is their primary role.  Responding to alerts and monitoring your environment is what they are trained to do and they have probably have set procedures for those functions which cover most situations.

When an attack is successful, all those controls failed.  If someone in accounting receives an email with a link to a malicious website in it and they then click on it and that begins a malware attack, then consider how many specialized security controls just failed.  I am going to get blunt about this: anyone who thinks the person in accounting is the weakest link in this scenario is not thinking this through very much. 

That person in accounting is without a doubt your last line of defense.

There are only three reasons to describe the end user as the weakest link in the chain of security controls:

1. You are trying to sell a security product
2. You are trying to deflect attention away from all the controls that failed
3. You are uncomfortable with the idea that their behavior is as important to securing the Enterprise as everything you’ve invested in

The entire hacking community came to terms with #3 long ago.  It doesn’t make them uncomfortable.  Of course, social engineering pre-dates a lot more than the internet (see, for example, Jacob impersonating his brother Esau in the Book of Genesis, written thousands of years ago).

So if today’s employee is the last line of defense in your cybersecurity strategy, you can choose how to manage their effectiveness.  You can give them some security awareness training and run some phishing simulations.  You can offer them a special way to send in alerts about phishing and smishing scams they notice.  These are good strategies for increasing the effectiveness of people as a control.

But what if protecting the workforce becomes part of the mission?  In addition to aligning your security program with IT and seeing people as a control (which they certainly are) how about also aligning the program with Human Resources and, in the case of, for example, the construction and manufacturing sectors, Employee Health and Safety, by seeing the workforce as people?

After all, your workforce spends lots of personal time on-line.  So do their families.  The on-line threats they face in their personal lives are not much different than those they face at work.  These threats include all the scams you work hard to warn them about like credential phishing and the personal version of business email compromise where an imposter tries to get them to re-direct a payment.

They also face:

1. Elder fraud for their parents which the FBI puts at over 1.5 billion in USD for 2021 representing all kinds of fraud
2. Romance fraud that can turn into Cryptocurrency fraud or sextortion which the FBI reported as coming in at just under 1 billion
3. Cyber bullying and sextortion of their teens and tweens.  The Cyberbullying research center reports that 1 in 4 teens have reported to having been bullied on-line

So the question is: as the subject matter expert on cybersecurity and cyber safety, how can you advance the firm’s security posture through empathy, through helping them be secure in all aspects of their lives and not just as employees.  Through the pandemic, CEO’s learned to do this more and more, using empathy as a way to help anchor people who might have otherwise been isolated by lockdowns. 

“The ability to understand and relate to your employees and other managers can help you not only connect with them but also put your people in the best position to succeed.”

-from a CEO Council post in Forbes: The Importance Of Showing Empathy As A CEO by Sean Manning, CEO and Founder of Payroll Vault Franchising. March 19, 2021.

I’ll circle back to the “why” one would do this further down.  First, I want to provide some detail on how as a CISO, one can be the cybersecurity expert for the workforce with the objective of making them safer in all aspects of their on-line lives.

What you can do:

You can help them know how to prevent these things.  Is all your security awareness training and outreach around preventing business related attacks?    Or, like most CISO’s I know, do you remind everyone in late January about fake IRS scams?  How far can you take this (where I work, we call answering that question part of “active caring”)?  The list of things you can engage the workforce is ever changing as the crooks change their methods.  And the people in their lives that need protecting include their siblings, their children, their partners and their parents. 

Think a single twenty something worker doesn’t care about sextortion attacks aimed at teens?  They do if they have a younger sibling they’re close to. 

Describing scams and how to recognize them can help your workforce keep those they care for safe.  And a workforce engaged with knowing how to be safe on-line is what we’re aiming for with our awareness programs, right?

You can suggest resources that will help them with more information.  If you have workers who are raising children, those children are what people that work with children and technology call “digital natives.”  You don’t have to be an expert on this subject, but it doesn’t take much to find the experts online.  Want to reach parents who are worried about how and when to get their kids their first mobile phone?  You can point them to Dr. Devorah Heitner’s work raising digital natives; https://devorahheitner.com/why-should-you-plan-before-getting-your-kid-a-phone/ . 

You may be thinking, but I am not more qualified than them to know what’s best for the kids.  Of course you aren’t.  And they can use search engines just like you can.  But you would be surprised at how useful your training in evaluating resources that accurately describes threats and exploits and that lay out preventive plans of action really is.

You can help them recognize when they or their families are being scammed.   I have done this, fortunately, on only a few occasions.  But I cannot tell you how useful it is for someone who thinks they are being scammed (or thinks someone in their family is) to hear a cybersecurity expert describe in detail exactly what they are experiencing. 

For example, confirming for someone that the stranger they met last month who is asking them to put their life savings into a cryptocurrency “account” on a website that you can see was spun up 90 days ago is best left alone, can be invaluable to them.  If you know those particular scams, the early test deposits people make to test out the website yield returns of 5-10 times the initial small investment.  They are usually even able to withdraw those gains.  It’s only when the person puts in a large sum that the site becomes unavailable and they lose their investment.

Assuring someone that scammers make a lot of threats from “I’ll send those explicit pictures to the admission counselors of the colleges you are applying to” to “I have everything I need to make sure you never get another Social Security check” but that they are usually empty can provide all the assurance they need to deal with things.

Refer them to law enforcement.  If someone’s house was broken into, they would call the police. On-line attacks are relatively new and people often don’t think of going to their local police.  Sometimes, they feel embarrassed that they were gullible and got fooled.  They need some encouragement to call the police.  Increasingly, local law enforcement has at least one “cyber expert” in-house (all state police forces do).  And even if not, since most on-line scams are often on-line versions of old time confidence schemes, local law enforcement can be very helpful in helping people get closure on an event.

You can listen (be empathetic).  Sometimes, a person just needs someone else to listen and say “yep, the hackers are smart and lots of people fall for these scams.”  We are looking to partner with our workforce so they become better at keeping the Enterprise and themselves secure.  Just being on their side can help make them more receptive to being more careful.

What you can’t do

In general, you can’t make guarantees.  While being the cybersecurity expert means you can say things with some degree of certainty, you obviously can’t guarantee things to people.  Statements like “block their number and you will never hear from them again” are ill advised.  As we know, hackers can be persistent and your credibility depends on recognizing that risk is difficult to fully eliminate.

You probably can’t reimburse them for losses.  Here’s where I am taking my own advice and not saying something as an absolute certainty.  I have never encountered a situation where a company would reimburse a member of the workforce who was the victim of a scam.  I can’t imagine one either.

You probably shouldn’t get between them and a scammer. Again, I can’t say never but I can’t imagine this would be a good idea.  That’s what law enforcement and other resources you point them do are for.

It all sounds like a lot of extra work, doesn’t it?  As I argued at the beginning, I don’t think the work is “extra.”  I think we need to see it as essential. 

The run of the mill hacker doesn’t care that much what scam they run so long as they can make money off it.  The next time you hear about a business email compromise attack beginning with a notice that the person needs to change the routing number and account number to pay the next invoice, have your employee write back “ok, but I am still waiting to get those photos you promised me” and see what the hacker writes back.  Then block them and report any fraudulent email domain they spun up.

The point is that the hackers see the employee as a target no different than they see the same person when they’re home.  They want to get to your company’s bank account and the employee’s account.  Leveraging that alignment can help you train your employees better at recognizing scams.

That’s the beginning of the value proposition here.  Cutting down on employee distraction is also of tremendous value.

If you work in construction, manufacturing, transportation or another industry where employee safety is of the utmost importance, then you know that a distracted worker is more likely to have an incident and possibly get injured.  If your employee is worried about what their child is doing with their phone every night in their room after dinner, they may be more prone to a safety incident on the job. 

Distracted office workers are more likely to click on a link or download an attachment without thinking as well.

Going back to the idea that the Security department can align with Human Resources and Employee Assistance, I would argue that even if all you do is make sure the EAP program has being safe on-line resources available in their elder care and help for parents programs you’ve furthered the mission of keeping the Enterprise safe.

Nothing I am talking about here has to be formal.  Maybe it is just a mention in an employee newsletter or communication that you are there to help.  Maybe it is just incorporating personal and family on-line safety tips in your regular awareness communications.  There is no wrong way to kick this off if you are not already doing it.   Done thoughtfully and within the culture of your Enterprise, I think you will find it pays off in promoting a security aware culture.