Harden Your First Line of Defense with Trust
You often hear in the cybersecurity world that staff and employees are the weak link. This is a poor way of thinking about a very vulnerable, maybe your most vulnerable attack surface within your network. Taking such a negative approach leads to practices such as implementing phishing tests for employees, or laying down USB drives in the parking lot. These techniques create a fear-based environment where your employees become embarrassed when they make a mistake. In a nutshell, it erodes Trust! Creating an environment like this ensures your employees will stop asking questions, and become less secure for fear of making a mistake.
In the “Infinite Game”, Simon Sinek poses the question: How do we create an environment in which people can work at their natural best. How does this question play into securing our networks? It is an interesting question, but one that revolves around the same principles of security leadership that Simon Sinek speaks about – human behavior. As you listen to Simon Sinek, he eventually provides an answer on how to build this trusting environment – “If you want to play the infinite game, you have to take responsibility for building trusting teams.” Thus, if you want to harden your First Line of Defense, you have to take responsibility for developing trust between employees and your security team. Creating this trust will ensure your employees ask about an email that doesn’t seem right before clicking on it, or come to you immediately with concerns when they have clicked on a link they are unsure of, without fear of reprisal. Trust, in fact, is so important, that your network security depends on it.
Trust is built through education that is a partnership, not a test, between the security team and the staff. In a recent blog I read, Chelsea Brown, an independent security advisor advises “Training your employees to have privacy and security be a natural and comfortable choice not only increases your enterprise security overall, but it will allow employees to adapt better to security changes and implementations in the future.” This is a powerful observation, but one that cannot be achieved until you have developed trust with your employees.
So within the security context, how can you build this trust? It first requires a new-normal way of looking at security. Within the world of email, this can be accomplished by helping your employee understand there is a greater risk to some emails than others. Outside emails are infinitely more dangerous than internal emails. Tagging outside emails with a banner warning your users this email is from the outside. In my company we have put a banner in bright yellow reading “CAUTION: This email originated from outside of the Company. Do not click links or open attachments unless you recognize the sender and know the content is safe.” Another technique is to associate employee pictures with emails that come from the inside. Seeing the staff picture with the email, without an outside banner, creates a multi-factor authentication that the email originated from who it is supposed to originate from, helps the staff identify the email as legitimate and safe, and most importantly builds trust.
Other techniques we have created to help build this trust is using non-persistent VDI desktops. We have trained our employees that if they ever feel butterflies after clicking on an attachment, link, or visited the wrong website, to save their work and logoff their machines, effectively destroying any payload downloaded, then logging back into a clean machine. After logging back in, they are to notify security staff, and their account is flagged to watch more closely with AI automation. No repercussions, no berating, just a “thank you” and a “good job” for helping us do our job.
Developing a security education strategy that is focused on Trust is both easy an inexpensive, but it takes ownership and responsibility from the security leadership. It often takes one-on-one interactions between the security team and the staff, training them on how to spot phish emails, or indicators they have been compromised. All-hands meetings, fielding questions and concerns also provides this intimate setting where trust can be established and developed over time. The reality is, in security, hiding behind a memo or educational video is the old way of training your employees. Being front and center, providing them and teaching them tools to identify potential issues early, and creating a trusting relationship that will ensure immediate notification is what we should all be striving for in the new-normal.
What are your thoughts? How are you building trust with your staff to help reduce your attack surface?