A designated board member of the company gets caught forwarding critical
business research data to his personal email ID. The ensued
investigation found he was on the verge of forming a private limited
company in the same area of business.
In a similar incident- although of an innocent nature and unintentional with no mala fide objective - a top level employee was caught forwarding emails to a personal ID due to an issue with the company’s email client. He had no clue, whatsoever, that this was a serious breach of the company’s information security policy. The result- a senior executive of nine years was fired.
These are just some examples of top management complacency towards information security. Similar cases of data breach are rising by alarming numbers. If CXOs can be so careless, one can reckon the degree of security awareness of an average employee.
This exposes a gaping hole in the enterprises’ preparedness in dealing with insider threat. The question staring us in the face is: have organisations missed out on the most basic and essential tenet of building an overall culture of security?
“The cultural and behavioural aspects of employees are not incorporated in the information security policy, at the level it should be. In the sense that most of the employees feel that the security for the company is the job of CISO or the person in-charge,” says Vicky Shah, Consultant, The Eagle Eye.
Users should feel responsible and understand that their collective wisdom will strengthen the overall security posture of the company. The culture of employees taking the onus of ensuring IT security by following the regular hygiene, rules, strictures, regulations will ensure the desired level of security preparedness.
In the absence of this culture, no information security awareness campaigns will come to fruition, irrespective of how attractive, interactive and intuitive they are. So, how do companies instil the security culture in employees?
Measuring Employees’ Security Posture
The most important step for the CISO’s office in building the requisite security culture is to assess the alertness of employees towards information security. This can help unearth their complacency towards handling security issues. Sometimes going off the beaten track can be more useful than the traditional tricks and leave a more profound impact on the employees’ mind. This will make the employees start taking security more seriously, thus setting a firm base for a strong culture of information security. While the usual methods have their advantages, the non-conventional ways can have a more lasting impact.
Offbeat Techniques To Check Security Posture
Here are some offbeat techniques that CIOs/CISOs can use, as well as some real-life examples of deployment of those techniques.
Technique 1
It’s essential to be more practical and direct in checking an employee’s security readiness. “Apart from IT infrastructure, penetration testing with social engineering can be used on employees. The attempt is to see whether employees fall prey to the scheme. If they do, they have to be sensitised of the repercussions if the same was a real breach attempt,” says Vishal Salvi, CISO and Senior VP, HDFC Bank. Social engineering means sending deceptive messages to employees to divulge information. The aim is to test whether employees follow the set policies. The deception is caused by an internal employee.
Technique 2
Companies can also opt for options of hiring a consultant and granting him/her special rights to check employee readiness. Shah cites an example of how his team did a physical penetration testing assignment for a company to check the security preparedness of the team responsible for a high security zone in the company, where all employees do not have access.
Shah informs that this part of the client’s office is administered under special access controls with only certain employee functions allowed to visit and access the resident IT infrastructure. To check whether the deputed employees followed the procedures, Shah’s team was asked to enter the zone under the guise of an audit team. To the company’s surprise, the team was given complete access after verbally assuring all necessary permissions were taken and what followed was even more shocking. “Our team went up to their server room and in spite of all the information security policies in place, we were able to penetrate the IT systems by using social engineering techniques,” says Shah.
Post the shocker, a series of drills were conducted after listing out access control procedures to their last granularity. The objective was to have rigid processes in place, which means that even an audit team visiting the site has to adhere to the regulations like any other authorised person would.
Technique 3
A simple SMS can also go a long way to thwart information security breaches and unauthorised usage. “I consulted one of my clients to run a customised SMS campaign. The users in general were sent text messages on the employee and company liabilities in the eventuality of an information security breach. As part of the campaign, employees accessing porn sites or other objectionable content, in particular, were warned with customised SMSes. It was made very clear in the message that the viewing of porn sites is a criminal offence with the specified imprisonment and penalty,” says Prashant Mali, President, Cyber Law Consulting.
Why an SMS? The idea is to send the message without hurting the employees. An SMS issued from an official location acts as a soft way of communication as against a memo, which can be taken otherwise. The campaign was a success. Furthermore, any change in Information Security policy or security incident was also informed to employees via SMSes. The exercise was done with due care ensuring that the identity of the person was not revealed.
This has been further supplemented with the company’s information security team regularly tracking employee internet browsing patterns. It has gone to the extent of openly displaying objectionable website URLs viewed by employees. The website list is put up in the office canteen. The objective is to act as a deterrent against other employees to log on to the same sites. The employees are also warned of prospective HR action in case of a similar breach.
Technique 4
Another technique is to ask the system administrator to check how the employees respond to their emails IDs getting deactivated: whether they are following the set procedures, what kind of turnaround time under which the email ID is activated again? This reveals the particular employees’ alertness towards getting things done under the time frame,” says Shah.
Citing a client’s example where such an assessment was done, Shah informs that the assessment found most of the employees missing out on informing the risk officer. “The set procedure was to inform the system administrator and fill out a form to update the risk officer. However, only the former was informed and not the latter,” he adds.
The point to be driven home here is that an email malfunction is not a technical issue but an information security risk.
Most of the high profile information security breach events in 2011 were the handiwork of lame threat vectors- simple exploit in the excel software in RSA and writing a few lines of code to change ID in case of Citi Bank. These cases just point to a simple fact - companies should make sure the employees are, at all times, well-versed with the basics and be prepared to quickly respond to any anomaly that is noticed.
In a similar incident- although of an innocent nature and unintentional with no mala fide objective - a top level employee was caught forwarding emails to a personal ID due to an issue with the company’s email client. He had no clue, whatsoever, that this was a serious breach of the company’s information security policy. The result- a senior executive of nine years was fired.
These are just some examples of top management complacency towards information security. Similar cases of data breach are rising by alarming numbers. If CXOs can be so careless, one can reckon the degree of security awareness of an average employee.
This exposes a gaping hole in the enterprises’ preparedness in dealing with insider threat. The question staring us in the face is: have organisations missed out on the most basic and essential tenet of building an overall culture of security?
“The cultural and behavioural aspects of employees are not incorporated in the information security policy, at the level it should be. In the sense that most of the employees feel that the security for the company is the job of CISO or the person in-charge,” says Vicky Shah, Consultant, The Eagle Eye.
Users should feel responsible and understand that their collective wisdom will strengthen the overall security posture of the company. The culture of employees taking the onus of ensuring IT security by following the regular hygiene, rules, strictures, regulations will ensure the desired level of security preparedness.
In the absence of this culture, no information security awareness campaigns will come to fruition, irrespective of how attractive, interactive and intuitive they are. So, how do companies instil the security culture in employees?
Measuring Employees’ Security Posture
The most important step for the CISO’s office in building the requisite security culture is to assess the alertness of employees towards information security. This can help unearth their complacency towards handling security issues. Sometimes going off the beaten track can be more useful than the traditional tricks and leave a more profound impact on the employees’ mind. This will make the employees start taking security more seriously, thus setting a firm base for a strong culture of information security. While the usual methods have their advantages, the non-conventional ways can have a more lasting impact.
Offbeat Techniques To Check Security Posture
Here are some offbeat techniques that CIOs/CISOs can use, as well as some real-life examples of deployment of those techniques.
Technique 1
It’s essential to be more practical and direct in checking an employee’s security readiness. “Apart from IT infrastructure, penetration testing with social engineering can be used on employees. The attempt is to see whether employees fall prey to the scheme. If they do, they have to be sensitised of the repercussions if the same was a real breach attempt,” says Vishal Salvi, CISO and Senior VP, HDFC Bank. Social engineering means sending deceptive messages to employees to divulge information. The aim is to test whether employees follow the set policies. The deception is caused by an internal employee.
Technique 2
Companies can also opt for options of hiring a consultant and granting him/her special rights to check employee readiness. Shah cites an example of how his team did a physical penetration testing assignment for a company to check the security preparedness of the team responsible for a high security zone in the company, where all employees do not have access.
Shah informs that this part of the client’s office is administered under special access controls with only certain employee functions allowed to visit and access the resident IT infrastructure. To check whether the deputed employees followed the procedures, Shah’s team was asked to enter the zone under the guise of an audit team. To the company’s surprise, the team was given complete access after verbally assuring all necessary permissions were taken and what followed was even more shocking. “Our team went up to their server room and in spite of all the information security policies in place, we were able to penetrate the IT systems by using social engineering techniques,” says Shah.
Post the shocker, a series of drills were conducted after listing out access control procedures to their last granularity. The objective was to have rigid processes in place, which means that even an audit team visiting the site has to adhere to the regulations like any other authorised person would.
Technique 3
A simple SMS can also go a long way to thwart information security breaches and unauthorised usage. “I consulted one of my clients to run a customised SMS campaign. The users in general were sent text messages on the employee and company liabilities in the eventuality of an information security breach. As part of the campaign, employees accessing porn sites or other objectionable content, in particular, were warned with customised SMSes. It was made very clear in the message that the viewing of porn sites is a criminal offence with the specified imprisonment and penalty,” says Prashant Mali, President, Cyber Law Consulting.
Why an SMS? The idea is to send the message without hurting the employees. An SMS issued from an official location acts as a soft way of communication as against a memo, which can be taken otherwise. The campaign was a success. Furthermore, any change in Information Security policy or security incident was also informed to employees via SMSes. The exercise was done with due care ensuring that the identity of the person was not revealed.
This has been further supplemented with the company’s information security team regularly tracking employee internet browsing patterns. It has gone to the extent of openly displaying objectionable website URLs viewed by employees. The website list is put up in the office canteen. The objective is to act as a deterrent against other employees to log on to the same sites. The employees are also warned of prospective HR action in case of a similar breach.
Technique 4
Another technique is to ask the system administrator to check how the employees respond to their emails IDs getting deactivated: whether they are following the set procedures, what kind of turnaround time under which the email ID is activated again? This reveals the particular employees’ alertness towards getting things done under the time frame,” says Shah.
Citing a client’s example where such an assessment was done, Shah informs that the assessment found most of the employees missing out on informing the risk officer. “The set procedure was to inform the system administrator and fill out a form to update the risk officer. However, only the former was informed and not the latter,” he adds.
The point to be driven home here is that an email malfunction is not a technical issue but an information security risk.
Most of the high profile information security breach events in 2011 were the handiwork of lame threat vectors- simple exploit in the excel software in RSA and writing a few lines of code to change ID in case of Citi Bank. These cases just point to a simple fact - companies should make sure the employees are, at all times, well-versed with the basics and be prepared to quickly respond to any anomaly that is noticed.
Posts
