Recently large organizations have put a lot of effort in making their employees cyber aware and hence the organization cyber resilient. The legislation about Data Leaks proved to be a catalyst for the need for this awareness. Nowadays, when I step into elevators of several organizations I see beautiful posters which are meant to make employees aware of their behaviour as e.g. leaving passwords on their computers with a ´post-it´, not clicking on dubious attachments (phishing), leaking information etcetera. Now you must be aware that the emphasis is on being cyber aware and I must say that is quite a challenge for organizations where employees are dominated by Generation X and so called Babyboomers. Several of these organizations have recently upgraded to MS Office 2010 and their smartphones from blackberry to the Samsung.
From the stone ages to the 19th century if I might say so. Now you may call me a little bit biased and even pretentious but from where I am standing it takes a lot more to become cyber aware than these kinds of ´old school´ campaigns. Still organizations hope to boost cyber awareness being in a nice traditional, and in my opinion, ineffective way.
I decided to have a talk with several Chief Information Officers to reflect on my assumptions. To my surprise they mostly agreed on my assumptions but said that there where (in general) insufficient funds to do more about getting employees cyber aware. The HR department found the subject to be less interesting, the Board was relying on the IT suppliers for security, Finance was more concerned with cutbacks and Risk Management with their operational risk management of the core business processes. None of the mentioned departments seemed aware enough that our organization was relying more and more on the IT Infrastructure and on Internet portals for their services.
At this moment more and more organizations rely on their web portals and are investing in more digitalisation. Still employees are not aware enough of the vulnerability from a hacking point of view while dealing with these developments. This became critically clear when I visited an annual suppliers meeting. The topic of this meeting was ´Cyber Security´ and the dependency on suppliers to co-create a cyber resilient environment with their clients. I had high expectations of this meeting. There was a solid introduction from the CIO and CISO about the need to be cyber resilient and the dependency on the IT suppliers on this topic. Suddenly we were ´ambushed´. What I mean is after an hour the CISO told the audience that there were three penetration (pen) testers in the room who had scanned our mobile devices like phones and I-pads with a device called ´pine-apple´.
Everybody looked a little bit startled and scared. The pen testers promised however not to share delicate information with the audience but still the atmosphere changed from ´entertaining´ to ´worried´. After their demonstration of what they found e.g. pictures of families, information about travelling behaviour, there was a sigh of relief in the audience.
The example above proves that transforming organizations be cyber aware, takes a lot more than traditional communication campaigns to get the job done. There is a strong need for commitment on this subject from HR, Finance, and Internal Auditing and of course the Board to make awareness interventions like the pen testers organised on the supplier meeting. Why? Because organizations are relying more and more on IT and this means criminals can access internal data and legacy systems if they make the effort. This data might be very valuable to criminal organisations for misuse or simple for the fun of it. Many employees
aren´t in my opinion, aware enough of this risk and certainly not from a point of view that they may very well be the weakest link from a social engineering point of view. They are very loyal so I don’t aspect a big risk from that security perspective along with the ´so called Panopticon effect´ while surfing on the internet within the company.
However, summer holidays are coming, and employees are using their devices (bring your own…) to check out e-mails in the hotel lobby abroad, or to check out the deadlines and finance of critical projects. This kind of naïve behaviour may also very well apply on our main suppliers in terms of social engineering, cyber security measures and countermeasures, and of course applying the security policies of UWV in a rigid way. We´re in it together so let´s make cyber awareness a common subject to invest in. Let´s start with the most loyal and client focussed employees because they are the weakest link when it comes to getting targeted by criminals from a social engineering point of view.