A Tale of Corporate Hair and a Security Schmuck
A corporate executive room furnished with leather sofas and heavyset tables.
Some guy with a suit, a Double Windsor knotted tie with an impressive mop of corporate hair. He must be important, maybe even the CEO.
Oh wait! He’s about to speak!
“My fellow employees hello. I’m an important executive of this company, which you can tell by my impressive corporate hair. I might even be the CEO. I’m here to discuss with you a most dire subject — the security of our data.
Yes! I know nothing about it nor do I care, but that security schmuck told me I have to talk with you because if I say it’s important you are bound to change your behavior and stop doing those idiotic things you’re doing, you know — clicking on
invoices sent from mines in Nigeria, using random file transfer services, downloading torrents at work and tell the Security Schmuck that it’s all his fault.
My fellow employees, stop being idiots now otherwise the Security Schmuck will force me to do another movie next year and I’ll have to fire his ass because I can’t stand him.
I thank you for your valuable time.”
I can’t tell you how many times I’ve sat down as an auditor or as a consultant and viewed such movies, next to a proud grinning head of security who believed that the fact he got his CEO to say a few words from his leather furnished suite, is the height of his career. Too many CISO’s I’ve met believe that:
a. People care about security described in generic terms (“It’s really important! If you don’t follow the guidelines we’ll be very sad!”)
b. People care more if the generic-oh-my-god-you’re-boring message comes from a company executive.
So let’s get a few things straight:
No seriously, you chose a profession that relies mostly on telling people not to click links, it’s not the most exciting job out there.
You don’t know much about motivating people
What might seems to you as the most important thing in the world (hey, we all know that salted hashes are sexy, and ShellShock is the most exciting thing that happened in the last 20 years) is not necessarily seen as such by the general population.
The fact that you have security in your title doesn’t mean people will listen to you
So all is lost?
Not so my friends, there is still hope. Read on.
If you’re looking to raise awareness in your organization you need to first answer some basic questions:
What am I trying to achieve?
you’d think this is quite obvious — “to raise the awareness in my organization”. Well, there you go again with your generic messages. Stop that.
Employees get an administrative information overload. If you work in an enterprise, you can expect 3–5 messages a day coming from the company reminding you that achieving your goals are good, money laundering is bad and announce the appointment of Jose Smith to the position of Director of Corporate Vegetables. You can’t expect your important message of SECURITY IS THE BEST to go through the general buzz.
You need to focus your message.
Find out what are the biggest problems you have. Employees sticking their passwords under their keyboards? (Jesus people, it’s so eighties, stop doing that already) Everyone hit every random link being sent from Nigeria? Your IT people are running a torrent server on your mainframe?
Focus! find the thing that hurt you most and prepare messages that tackle the top 4–5 issues max. Anymore, and you’re going to lose them.
How do I make people identify with that message?
Let’s use an analogy. We’re doing a film again.
Grease smeared garage
A mechanic is a dirty blue coverall limping towards the camera while waving his monkey wrench in a threatening manner.
“DA MOST IMPORTANT BIT IN YER ENGINE IS YOUR HYPER BOOSTED CARBOGRATOR. IF YA DON’T TOP UP YOUR CLUELESS FLUID EVERY SECOND MONDAY OF THE MONTH, YOUR CAR WILL EXPLOOOODDDEEEE”.
Funny? No. Not funny. You sound exactly like that when you talk about “mälware”, “phïshin̂g” and “ cŕòss ṽeċtor c̃̂yp̈̈̈̈her ĩ̆nfringing äẗẗäc̈k̈s̈”. Yes, you do sound like that.
What to do? Make it over something they know and care. Make it about their private information, pictures and potentially life outside work.
Let us use this simple conversion table which I shall name “The Human-Security-Officer-Interaction-Table”
What you say
Obey the password policy! Use a combination of numbers and characters and bla bla bla!
What you should say
If I gain access to your password, which you probably use across multiple services, I won’t be able just to email on your behalf to the CEO demanding a raise, I’ll try that password on every other online service you use and try to gain access to your Facebook.
What you say
Phishing emails are very dangerous and may lead to the total compromise of perimeter defense yada yada yada
What you should say
Antivirus and all other nifty security tools we have installed on your computer cannot protect you from such attacks. The handsome muscular security officer cannot protect you from such attacks.
Almost all attacks can be prevented by you. If you don’t recognize it, DO NOT CLICK. If you suspect it DO NOT CLICK. If you have an unexplained urge to click RESIST IT. If you click random stuff all your stuff will be gone. Or worse.
How do I deliver the message across to everyone in my company?
Security officers — meet the future. Future — meet security officers. Those are the slightly shabby gabardine wearing people in the corner under the cobwebs.
Security officers, I want to introduce a very important concept to take into account when building an awareness program. Are you ready? Here it is:
STOP USING BLOODY POSTERS.
I’m sorry, I get overexcited when discussing this sometimes. You have so many options to deliver your message: company intranet, tailored made websites, videos delivered to your mailbox, videos at company canteens, e-learning, mobile apps, daily pop-up.
Yet every damn company out there is using posters that are hanging in slightly askew collecting dust and dead flies. Posters are gone. Done. Dusted. Six feet under. Am I getting through yet? Stop using them.
How do I make it interesting for people?
Don’t stop with giving passive messages. Think of how to excite people without the use of illegal hallucinogenics.
Quiz them — give them nice prizes (two tickets to the cinema, cheap — everyone like them)
Exercise them — anything from incident/phishing simulator to people pretending to sneak into the office and try to steal stuff. Be sure to inform the people who do physical security OK?
Theme them — do a whole theme week around security. In a past project I’ve done a whole week themed as “The Departed” where people were getting notes left on their desks with clues on who is the mole, and had someone working in the office who is not a member of staff and they needed to discover the person.
Annoy them — I’ve done a project with a company that had a very strong brand value/presence. All of their facilities were branded top to bottom. Imagine a whole campaign based on using the brand of the competitor. E.g. — if you don’t keep your data safe, you’ll have the competitor all over you.
And last and most important advise you’ll ever receive in the field of security awareness/campaigns
Whatever you do, for the love of god, involve your corporate communications people from day one. They own the communications. They own the brand guidelines. They own the delivery mechanisms. If you do not consult with them from they one they will shoot you down. Sometimes for a good reason.
Heed this warning, it was learned the hard way. Thrice.
So there you have it in a nutshell.
It’s doable, and normally the most fun part of our dreary every day existence. We get to go out, meet new friends and scare them.
And always remember children, behind every security awareness campaign there is an idiot clicking a link.