There are no 100% guarantees in information security.
We all talk about it. Often, we turn to technical solutions to solve security problems. For each solution, someone can offer a reason it won’t work. Far too often we end up declaring “breaches are inevitable.” This is where many firms throw in the towel and double down on anti-virus, firewalls, and a spam filters.
The truth is often simpler. We’ve “met the enemy and he is us.”
Your Staff is under Attack
Senior management sets the tone for the organization. Security tone should be realistic and empowering. We highlight shared responsibility. Everyone gets the power to say “hold on while we make sure we’re doing the right thing.”
Sophisticated attacks no longer rely on wealthy foreign princes. They claim to be the CEO or an important business partner. Phishing emails include logos and clear language.
Attackers exploit human fears. They threaten that staff will disappoint the boss. The messages appear urgent. Some offer the chance to avoid public embarrassment. Attackers target staff with access to key information. Our trusted staff face an urgent request to complete a wire transfer or email that customer file. They need a few extra minutes to make sure everything is legitimate.
Security is a “top down” Strategy
Technology enables security but it’s driven by policy and organizational culture. Your people are a critical part of your data security posture.
They must feel safe to put the request on hold and verify it’s real. The only way to ensure they feel that power is for the message to come from the top. Regardless of formal power or position, your staff need at least one way to verify a request. That can be a direct manager when the request comes from outside their reporting line. A lateral check with inside counsel works. Make a quick call to the audit department or information security team.
For this to work, management should to make the message clear. We tell customers that “We will never call and ask and for your password over the phone”.
Senior management needs to send a similar message to staff.
“I will never email or text you and ask to transfer our client list or other data anywhere urgently. If you think I’m doing it, stop and verify the request in person, by phone to me or with another leader.”