If you haven’t heard, October is National Cyber Security Awareness Month (NCSAM). NCSAM is sponsored by U.S. Department of Homeland Security and the National Cyber Security Alliance, and each week of the month has a different theme. The STEALTHbits team will be observing the month with a new blog post on the theme each week. So stay tuned in to catch all the NCSAM info coming your way.
The second week theme for National Cyber Security Awareness Month (NCSAM) is “Cybersecurity in the Workplace Is Everyone’s Business.” STEALTHbits spends a lot of time talking to folks about changing their security culture. After all, we spend most of our time dealing with human generated data – the unstructured data in files, folders, and in the cloud. How often do you send files to coworkers in a file through email or collaboration platforms? How many times do you export data from an application into Excel or other file types to do analysis on it? I’m sure your answer was similar to “pretty often” for those last two questions. But how about this one: “How often do you think about the security of those files you send around?” I’m sure you do spend some time thinking about that. These days stories about breaches online, lost laptops full of sensitive information, and massive ransomware outbreaks has everyone thinking about information security more than they used to. Security pros are always looking to raise awareness and have everyone think about it more. You should think about it every time you hit send, but that isn’t very concrete advice.
What I would like to offer is a way to help your security and IT folks out. We have all done some things with data we know was wrong. People send a work document to a personal email address to get it onto their personal device. Maybe you’ve seen someone use text, instant messaging, or other side channels to send data around to folks because it seemed like the fastest way to get it out. I bet each time this happens, some if not all of the people involved know they are doing something that puts that data at risk. “But if I hadn’t done it, I couldn’t get my job done.” The security folks get that, too. IT and security are always working together to figure out ways that enable you to get things done without creating risk along the way. So here is what you should do. Do the bad thing. We all know you have to in the moment. But then take a moment, write out a few sentences about why you had to do it, and send that to your IT folks. Believe me, they will know you did the bad thing so you’re not outing yourself. What you will do is tell them something they don’t know: *why* you did it. If they know why, then that will help them immensely in creating a way for you to do it that is just as fast and easy without creating the risk. Sometimes that will mean helping them make the case for some secure collaboration everyone knows they need but are struggling to convince the executives to invest in. Sometimes that will mean them suddenly understanding some workflow they never understood before and give them the chance to get creative to secure it. In every case, knowing why you’re creating risk with the organization’s information will mean they can better help protect you, the organization, and themselves.