We get lots of requests for assistance with security awareness training. It seems that this is an issue that can't be entirely solved in the month of October, despite that being the "official" security awareness month. So, in case you're looking for an easy-to-read overview for non-technical employees about why cyber security is everyone's responsibility, here is a slightly reworked blog post that originally appeared on staysafeonline.org back in October. . .
In case you haven’t heard (perhaps you’ve been working remotely on the moon), cyber security has become a huge issue for businesses. The security professionals tasked with keeping corporate networks safe (they’re called information security professionals, or infosecs) are struggling to keep up with the pace of data breaches and respond to the variety of attacks that are taking place 24/7/365. Stoic in their commitment to “handle it” most information security departments are only now getting around to letting the average non-technical team member know that there’s a lot of ways we can help keep our company networks – and ourselves – safer. In the next few paragraphs I’m going to explain what security awareness is, and how we – the non-geeks – fit into the puzzle.
First, what is security awareness? Well, Wikipedia provides a good place to start: Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the. . .informational assets of that organization. Or, as an infosec explained to me recently, “there’s no patch for a stupid user.” Ouch! Do those tech-wizards really think of us that way? No, not really. They say things like that to make a point: no amount of technology can overcome the fact that people are people and they make mistakes. Especially when no one takes the time to explain the right and the wrong way to do things. Here’s a simple analogy to make my point: your local bank branch might have an amazing, state-of-the-art alarm system and vault, but it’s pointless if the bank manager forgets to lock the door or set the alarm. This example seems almost silly, doesn’t it? That’s because we’re all familiar with things like door locks, alarms and piles of cold hard cash. Only now we’re living in a new age where the line between “secure” and “unsecure” is much more difficult to define and we all have a responsibility to educate ourselves
I’m not in IT or information security, so what’s my piece of the puzzle? Like the bank manager in the analogy before, you probably aren’t responsible for designing and implementing cyber security measures any more than you provide for the physical security of your office. But I’ll bet you have a key or key card to get in the front door of your office and understand that if you’re the last to leave, you need to lock the door behind you. Cyber Security Awareness isn’t any different: you’re responsible for making sure your digital activities don’t lead a hacker to the inner vault of your company’s data.
What are hackers looking for, anyway? In most cases, easy money! Just like a burglar looks for things that are easy to steal and sell, like jewelery or electronics, in a data breach most of the time hackers want data that’s easy to sell on the "dark web". That’s usually payment data like credit card numbers or bank account information and personally identifiable information like social security numbers and dates of birth. These items have a market value on the dark web the same way a diamond ring does at a pawn shop. And if you work in key industries with valuable intellectual property, there’s a lot of other types of a data a thief could be after, too.
OK, and why would they be looking on my devices? Usually if a hacker’s been knocking around your computer, it’s because yours was the easiest to get into. Like a petty crook walking down the street trying every car door as he goes, hackers will “take it where they can get it” most easily. Unlike a car thief, though, once a hacker has access to your digital identity they can use your device as a "pivot point" (a device used to gain access to a more valuable one), to access more systems. Here’s a scenario to paint the picture: Imagine if a hacker managed to breach the computer of your company’s lowliest intern. There’s probably not a lot to steal (maybe – read the next section to see why I say maybe) but there’s plenty of opportunity to use that intern’s digital identity to break into other user’s systems. For example, the hacker who has his foot in the door could send a company-wide email along the lines of, “Thanks for a great fall! Check out the attached zip file to see pics of me with everybody!” How many of your co-workers might open that zip file before it dawns on them that the intern isn’t leaving for another month?
Geez, is there anything else I should know? Well, yeah, actually: besides providing a potential pivot point depending on your role, your device might actually be full of data that hackers would want to steal. Ultimately you need to proactively scan your devices for this stuff because we can’t cover every scenario in a blog post, but here’s a quick list of the types of data you might have and where it might be lurking, even though you’ve done your best to be safe and tidy:
Personally Identifiable Information
Protected Health Information
Where The Data’s At:
Stored on Your Drives
In short, unless you’ve proactively looked for this type of data on your system, you shouldn’t assume that your computer, laptop, tablet or phone isn’t hiding this stuff in plain sight just waiting for someone to come along and take it.
And this is a big deal? This is a huge deal. It’s bad enough if somebody pilfers your own valuable data, but if you’re storing customer data and that is breached you’re looking at a very embarrassing, costly and time-consuming process to “make it right.” Believe it or not those records cost companies about $150 each on average. So if you’ve got sensitive data on a few dozen customers your machine could cost your company $10,000 or more. Multiply that by all your coworkers and it becomes easy to see why Kaspersky Labs reports that businesses pay an average of $551,000 after a breach.
Here’s a quick list of some consequences if your company is breached:
So that’s the short(ish) explanation of why your organization is so hot to get you security aware, and why you need to know that you have a direct impact on the risk posture (how ready you are to thwart a hacker) of your organization. You really are an important piece of the puzzle! Luckily there are a lot of resources out there to help you take your awareness to the next level. For example, you might consider using my company’s free scan to look for unprotected data and vulnerabilities on your work or personal computers. And always remember that, when in doubt, asking a few extra questions of the people you know you can trust can save you and everyone you work with a lot of expensive, embarrassing, frustrating headaches down the road!