As a result of working with many different business units over the last decade, I’ve developed my ability to help companies by bridging the business and technology gap – and align technology strategies with business objectives. Toward that end, I have devised scenarios detailed below that translate infosecurity concepts into languages that team members can understand based on their specialty areas.
My goal is to initiate a dialogue between business unit managers so that we may work as a team to mitigate internal and external threats. The truth is, without awareness, buy-in, and participation by all business units, companies will not engage all employees in the company-wide objective of practicing infosecurity. Throughout this post, I talk about “IT departments,” but remember that this department encompasses a lot of different areas of expertise. The IT department of the old days no longer means simply fixing computers and setting up networks.
MARKETING & PUBLIC RELATIONS
Since this team is responsible for building brand equity, communicating competitive advantages, and interacting with members of the media, they speak a totally different language than those of us in the IT space. So, in order to train these folks to be smart computer users, I use this situation: You write a 20-page annual report, tweak all of the graphics, add all the financial data, and are ready to send the file to the printer. The IT department is called in to check the marketing files held on the shared server for the marketing department because at some point, someone in the marketing department found a graphic from an insecure website at home and transferred it via USB drive or BYOD device. Since that user did not have up-to-date malware protection on his/her own device when the image was uploaded to the document, the virus attached to the document. Now, not only is the file corrupted, files from other departments also have the potential to become corrupted. And, to add insult to injury, the entire project has to be re-done.
This is the group of team members who live on the road and in the field. They need their tech tools to work 24/7/365. A major challenge is the use of BYOD in today’s business environment. So not only do employees have work product on their laptops or other devices, but they also have personal information too. Because these devices have multiple purposes, there’s a better chance that they will either be, A) stolen or B) infected. The more time that those products spend in the open, the greater the possibility of theft. The more they are used for personal pleasure, the less their malware signatures may be kept up to date, the less vigilant the user may be. People tend to drop their guard when it comes to personal devices.
Finally, every device, especially those containing confidential sales data, should be encrypted. While encryption may be better tolerated in a business environment rather than on a personal device, that is no excuse not to use it on personal devices used for business. People tend to want to whip out their devices for taking pictures or sending texts and they don’t want to deal with having to input a password before gaining access to a device. As a result, people may try to disable password-protection, which defeats the reason that a password was added to a device in the first place.
So, here is a situation that they can easily understand: You are driving to an important meeting with a prospective customer, and upon arrival at the meeting, you get a phone call from a customer with a question. Still in your car, you turn on your device to check the customer’s account. But wait. Instead of starting normally, it shows a blue screen of death or its equivalent. What happened? Perhaps, all of those social media games or apps that you have been playing on your device opened a door to a virus or malware. Of course, there are countless other possibilities, but for employees who work on the road, their systems need to be as clean as possible.
This is the group of team members who answer phones and respond to emails, for the majority of companies. Their job is to provide solutions to customer complaints or issues. So, their computers, phones, and all other tech tools ranging from smartphones to mobile devices need to be in top-notch condition. Here’s a situation that these team members would prefer to avoid at all costs: A customer calls and complains about a certain product or product feature. Now, while you (the customer service rep) are on the phone with the customer, your system crashes, and you cannot access your product spec list, your email – in order to communicate with your customer, or your CRM system. After the IT department checked out your machine, some unpleasant information was discovered. Your browser indicated that you spent a large amount of time logging into Facebook and other social media sites several times during the day, and unfortunately, these unsanctioned activities welcomed a virus or two or three.
These team members deal with all aspects of a company’s financials, so all of their software must be virus-free. Here is a scenario that members of this department have nightmares about: In the middle of payroll preparations, the entire system goes down. The IT department doesn’t have a quick fix. The toll-free customer service department for the software doesn’t have a quick fix. And, if a solution is not reached soon, payroll will not happen. Now, while this scenario may have nothing to do with a company’s network, the IT department must jump on the problem immediately and intervene as a liaison and partner with the software customer service department. Of course, in the background, if the IT department is doing their job correctly, and the business unit has been working with IT, which is just as important, there should be backups and a disaster recovery plan that will get department back up and running quickly. But priority one in this situation is for the finance group and the IT department to work together and understand one another.
Whatever name you give this department, it is responsible for all personnel activities ranging from hiring to firing to team building to holiday parties, etc. One might think that the computers housed in this department would be kept under lock and key, since they house all employee records. But often, that is not the case. Here is a situation that really happened not too long ago: An employee from HR left for the day without closing and locking his office door. Some consultants that worked in another department entered the HR office and unplugged the laptop and then walked out of the building with it. While this seems like a simple theft, passwords to access the hard drive and encryption to scramble it could have stopped access to data. But there were no network passwords on the machine, and it was not encrypted. Identity theft occurred for the hundreds of employees whose files and performance reviews were housed on that specific machine.
Imagine you have a hot new product in the pipeline and it might possibly be the next technology game changer, for example, the next iPod. You have all of your tech specs, design info, and all of your manufacturing processes on a network that’s not airgaped. Someone in your department downloads a free game, which turns out to be a Trojan that creates a back door into your network, or in other words, a way to get into systems without the proper authorization. One day, you come into the office, and all of your data is corrupted, and nowadays even worse, it’s been disseminated on the Internet or stolen by a person or nation state. No regular backups were made, and poof, two years of your life as well as the next “product of the year” goes down the drain. This is an example of corporate espionage at its worst and the reason why no one should be allowed to download unauthorized materials from the Internet on any office computer. This is where the IT department needs to really shine by learning how to teach different business units about security awareness.
The bottom line is that we, as infosecurity professionals, must speak with other business units in their own languages. If we can achieve this, then employees in other business units will understand why security is important to them, how security relates to them, and how they will be affected when breaches happen. And once, all business units work as a team, the business is better protected.
Image Credit: David Castillo Dominici via FreeDigitalPhotos.net
This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.