Jazz Networks Blog 190204

Having staked the next chapter of my career in the world of cyber security I am on a mission to make the world a better place and promote world peace, at least that was the explanation to my children.

In reality, what I read and see on a daily basis is that companies don’t appear to be making it too difficult for outsiders and third parties to gain access to company and personal data. It is this topic where I believe a giant step can be made to dramatically reduce business risk within the workplace.

When we first join an organisation, we are typically advised of corporate ethics, company policies and good governance along with signing some form of intellectual property and non-solicitation agreement. In practice, it has become extremely difficult to manage whether the goals of the company are in line with the day to day workings of employees. If employees are breaking policy, intentionally or not, how would you, as an information owner know?

What is deemed acceptable usage?

For me this is an interesting topic and one which will have contrasting views. In my early working life, I was provided a company laptop, I didn’t have the funds to have a second one at home and so it doubled for both work and personal usage.

I have the impression that a large number of employees are in a similar position, not just with laptops but with a wide range of company tools. Is it acceptable to use the laptop for personal banking for example? I don’t expect many organisations would be concerned with such usage, but where is the line drawn between acceptable and unacceptable behaviour? Letting the children use the laptop for their homework or using unsecured Wi-Fi in a hotel whilst on holiday. Even taking the device on holiday! Surely, I am not alone with these thoughts?

This is where I believe organisations would like us as employees to take a common-sense approach to mitigate risk or reputational damage for our employers. For enterprises the guidance is typically delivered through the consumption of annual online training tools and videos to tick a corporate governance box, and tick that box is certainly does! But is ticking that governance box an adequate organisation mitigation in the eyes of the Information Commissioner after data has walked out of the door? With the fast pace of digital change are our employers doing enough to guide us employees or should they have a big safety net that maps, tracks and captures any employee or company exposure nefarious or not?

It is here that I raise the meaning of common sense “Good sense and sound judgment in practical matters”.

Can we as employees be trusted with such power? Is it even fair that we would be expected to? Given the hefty fines around GDPR are companies wise to leave potentially 4% of turnover in the hands of “employee common sense!” We as humans are fallible. There is no getting away from this. Often Phishing campaigns are seen as being successful through the inexperience or negligence of employees. In some instances this may be the case, however targeted campaigns have been known to leverage advanced and intrusive open source reconnaissance in order to ensure the user opens the document or clicks the link. The attackers play on our individual humanity and bend it to achieve their aims. After all who could resist peeking at that USB drive you found in the company bathroom in an envelope marked “CONFIDENTIAL – REDUNDANCY SPREADSHEET!”

There is also the perennial problem of keeping data where it should be. It may be easier to instant message that financial report but is that the safest way to transmit that data? Is that the approved way? Additionally, did I send that email to the correct “Martin.Smith4@lotsofdata.com?” All of these add up to considerable exposure that companies look to address with the panacea of “common sense.”

Another option is to insure against the risk, although not all policies will cover against such exposure. Defining who and what caused the exposure is also extremely difficult particularly in the case of state sponsored attacks. Example: Mondelez recently suing its insurance company Zurich for refusing to pay out on a $100m claim for damages caused by the Notpetya attack.

With Cryptojacking, file-less malware and the exponential evolution of attack methodologies the problem is not going away any time soon. Adversaries are becoming increasingly sophisticated and successful in finding that “easy way in.” In my view organisations HAVE to minimise the attack surface and continue to raise employee awareness.

Good periodic training and awareness will not be enough moving forward and arguably it isn’t now. The technology must safe guard employees and help assist them in their decision making inside the workplace and out. Data is now being moved in and out of the organisation in great volumes and at great speed. Connectivity to non-secured Wi-Fi networks and accessing unapproved websites is all too easy. Put simply, it is extremely difficult for organisations to keep pace with changes and have visibility to every action. Or is it?

If you would like further details on our common-sense approach to risk mitigation or simply want to improve your corporate security posture, then please contact us at https://www.jazznetworks.com