Traditional information security should, it has been argued, be like Victorian children; best kept out of sight. Most CISOs aim for security that is invisible to the end user, working away in the background but not impinging on the day or hampering business objectives. While there is a great deal of merit in avoiding security controls that deter productivity, for me, this doesn’t mean that security should be made invisible.
When I was 7, like most of my friends, I began to receive pocket money. Of course, now that I have my own children I can see that entrusting money to a 7-year-old is just a marginally more interesting way of disposing of cash than burning it. And yet parents (me included) continue to hand hard-earned money to their offspring, with the sure expectation that, at best, it will ultimately fill their house with useless plastic
When we block and hide every one of the (thousands) of threats a business is subjected to daily and weekly, we not only project a false sense of safety to the employees (“I don’t think our business has ever been the target of a cyber attack, so it probably isn’t an issue for us”) but, overtime, we also cultivate a workforce who have no ability to identify risk (and therefore no understanding of the need to regulate their own behaviours to minimise risk).
When we hand over a few shiny coins to our children (or, nowadays, give them a kids’ payment card) we begin to create an awareness of money management skills. We create opportunities for them to mess up, within a safe environment.
There’s lots of ways we can mimic this approach within the enterprise, creating a greater understanding of threats and the employee’s personal responsibility for awareness and action. Here’s three of the easiest.
1. Share Risk Profiles
It is becoming common for enterprise security teams to maintain risk profiles at
2. Catch and Release
I am a big proponent for deliberately letting some phishing attempts through to the
3. Catch of the Day
Almost every workforce, regardless of size, has one or more individuals who regularly flag threats and attack attempts to the security team. It’s easy to ignore these efforts (it’s rare that they flag something that we haven’t already discovered), but don’t. If you showcase the value of these security champions-in-the-field, it is a really simple way of raising awareness that there is some level of personal responsibility for vigilance. Even if you aren’t getting any unsolicited help from users in threat identification, take a leaf out of MI5’s book and highlight specific instances of cyber threats that the security team and its tools have caught. Like the catch and release approach, this serves to increase vigilance among employees, and provides an opportunity to educate the organisation about new types of threat.
ENISA’s Threat Landscape Report 2018 was released in January 2019 and it states that security teams should be “making CTI [cyber threat intelligence] available to a large number of stakeholders, with focus on the ones that lack technical knowledge”. Ultimately, there is a balance to be struck between ensuring that security tools and policies do not restrict essential business activities, and making them visible enough to avoid increasingly unaware, individuals.