May 10, 2019 | Lea White, PA to the General Manager, SSS
The first memory I ever had of an information security vulnerability was probably about 20 years ago.
I was working as a personal assistant in a very large organisation. One morning I received an email from a colleague with a story about Little Red Riding Hood. It was only about two paragraphs long but ended with a link to read more.
Clicked on it... nothing happened.
Clicked on it again... nothing happened.
And after about three or four times I decided to give up.
I think I may have even emailed my colleague to say that nothing happened when I clicked the link.
It was at that point that our IT team sent an email to all staff urging us to not click on the link and to delete the email when it came through.
It turned out that it was in fact a virus where every time you clicked on the link the email would be sent to every single person in your mailbox, making it look like it was from you. It nearly crippled our email system given we were well over 3,000 staff with most of us clicking on the link multiple times.
I dread to think how many times after this I would have inadvertently helped spread something malicious. Other than IT telling us we should not click on that particular link and that we should delete the email, we received no further information or training that would enable the non-IT staff of our organisation to recognise suspicious emails.
Until I joined SSS about two years ago as a personal assistant, I didn't really consider the important role that I play in helping to protect my organisation. Information security was this foreign concept, and really the IT team's responsibility as far as I was concerned. After all, if they have a firewall set up and we have an anti-virus installed, then that sorted it in my mind.
Since joining SSS I have learnt a lot of lessons that I wish I knew about a long time ago. Here are a few of the things I have learned as somebody new to the information security industry:
Information security is not just an IT team thing
After joining SSS I was given the opportunity to complete phishing awareness training as part of my induction.
For the first time in my career I actively started noticing some of the potentially malicious activity that fills up my personal inbox all of the time. I started knowing what to look out for, and I realised that phishing attacks are becoming more and more sophisticated all of the time. Sometimes it can be incredibly difficult to spot a phishing attack. Nowadays, it isn't just emails with bad grammar and spelling all of the time, or those emails telling you that you won the UK lottery. Attackers are not all called Lt. Solomon Mbanda from Nigeria looking to share his millions of dollars*.
I have come to realise just how important things like phishing awareness training are for all staff (not just the technical ones). Most (if not all) of your staff likely have access to a computer and email, and all it takes is a single click of a link and your systems can be breached without you even realising it.
Writing down your password on paper is a really bad idea
In a previous role my manager asked me to help keep a record of her passwords. When I started there the previous assistant showed me where the Word document was saved. It had this table with all the different systems and login details. I was then told that I would need to print this out each time it was updated and store it "securely" in my drawer.
I don't think it ever occurred to me, or anybody in my team, just how big a risk that process was. Not only did we have a system where we gave easy access to anybody who wanted to snoop around, but we simply assumed that all of the staff, visitors to our office, and the cleaners at night would be honest people we could trust. We never considered that people we may know could use the information to compromise our system. After all, malicious attackers are only people like Lt. Solomon Mbanda from Nigeria looking to share his millions of dollars*, right?
One thing is for sure, technology is very much a part of our lives, and it seems that the applications and systems we need to use just keep increasing all the time. This brings a big challenge in that the average user now has a multitude of passwords to try and remember.
In my past roles this would often mean creating really simple and easy-to-guess passwords, using the same password for as many systems as I could, or writing them down somewhere.
A lifesaver for me here at SSS was to start using a secure password manager such as Thycotic Secret Server. If we had access to this in that previous role, my manager would never have had to ask me to keep her passwords "safe".
Most users don't understand how to select the right passwords
"Your password will expire in 4 days".
I must admit that this is one of my least favourite emails to receive. Of course at first you put it off because... well you have 4 more days.
Then the next day you get the dreaded "Your password will expire in 3 days".
When you finally reach the last day, depending on the company password policies, you tend to follow one of two strategies: you either just follow on from your last password i.e. Summer1, Summer2, Summer3**; or you start playing a little game of Eye Spy - "what can I see around me that will make a good password?"
I'm ashamed to admit that in a previous job someone set my password as Password, and I didn't change it for as long as I could. Then when I was prompted to change it, I changed it to Password1. At the time, not knowing any better, I simply didn't realise the big risk around the weak and simplistic passwords I chose.
Recently, we wrote an article about SamSam describing how attackers specifically look for a manual way to compromise your system, and this is often through weak passwords.
The truth of the matter is that staff will generally go for what is easy to remember. But easy does not mean safe. One of our previous articles covered this topic in more detail. Also if you are using a secure password manager, it can often generate a complex password for you.
Information security is more than just your email and the company network
One thing I never really thought about before is that information security is more than just my emails and the company network. Good processes are more than just having a firewall and anti-virus. Every bit of information a company stores is part of information security.
I don't know about you, but I have seen situations before where somebody will press "send" too fast and the wrong person will receive the wrong information. Most users are happy with the action of trying to recall that email and asking the other person to delete the email. But the reality is that once information is "out there" you really have no control over what might happen with it. Depending on the information, this could compromise your organisation, a specific person, or both. Certainly in the roles I had, it was never clear that there was a policy on how to deal with accidental breaches.
Document signing is another risk to keep in mind.
As a business support professional, it is often my role to get documents signed. Sometimes multiple signatures would be required. In many organisations, this means leaving a document on somebody's desk until they let you know that it is signed. Then if it required another signature, it would be left somewhere else, until you eventually got it back to finalise the process. Not only is this a pretty time-consuming process, but there are risks such as losing the document or having unauthorised parties view the information.
One thing I appreciate here in my role at SSS is that we have some great tools to minimise some of those risks. For example we use an application to enable me to easily recall my email within a set amount of time prior to it leaving our network, or I can set it so that internal documents do not leave our network. We classify our documents so that highly sensitive and internal documents can be treated appropriately. We use a secure file transfer tool where we can set access rights, and we use a digital signing solution that not only saves me a lot of time, but means I never have to print out a document and leave it on somebody's desk. This gives me some peace of mind!
Just because you are a proficient computer user does not mean you understand information security
Looking back over my career, it occurs to me how often some of my managers and the IT staff made the assumption that just because I was proficient with the applications I was working on, that I understood things like information security.
There may have been an assumption that I would simply know how to make safe and smart choices all of the time, or that I would ask about it. But how can a user ask about something they don't know that they don't know?
Just recently an ex-colleague mentioned to me that she just didn't understand how hackers manage to crack your password.
I caught up with another ex-colleague recently, and he was surprised to learn how somebody like their receptionist could accidentally breach their systems simply by clicking on a link.
If I could go back and suggest some things to my previous employers, it would be to:
- Invest in information security and phishing awareness training for all staff from the day they join the company
- Develop a culture where all staff will realise and appreciate just how important they are in helping to keep systems safe
- Provide staff with the tools to minimise the risks of accidental breaches
And finally, the biggest thing I have learned since coming into information security is that the user can either be your biggest protection, or your biggest risk. Help them be your biggest protection.
* Fictitious name and not referring to a real Lt. Solomon Mbanda in Nigeria
** Summer is not a good password choice, read our article about passwords
- - - - - - - - - - - -