CISO Stories: Part Two

Boris works as the global chief information security officer and head of data protection at an international charity based in London, is married to a paramedic, has two children and lives in Essex. He is ex-military and currently on the reserve list and works for an organization that also includes numerous ex-military employees.

He was managing a team of security professionals when the pandemic forced IT departments around the world to equip their employees with the tools and training they needed to protect the organization from cyber-attacks. He explains that, for the most part, as they are a humanitarian organization with requirements to deploy at short notice when needed, most people were equipped with laptops, although some desktops needed to be replaced. They also benefited from working in a ‘cloud-first’ environment and have even recently closed their last data center.

The Tech

The charity has an in-house vulnerability testing team who run vulnerability assessments against applications and the network. They have been relying on what comes out of the box in Microsoft but are looking to purchase 'add-ons' to improve their threat protection. They engage in phishing simulations, in order to measure security behavior and have seen an increase in ‘phishing’ and ‘spoofing’ since the start of the pandemic. This is probably due to an increase in email traffic, as people are no longer able to walk around the corner and have a conversation with fellow colleagues.

The charity has added a banner which alerts the employee when it is an external email that didn't originate from inside the organization. Unfortunately, the charities’ own material is being used, probably cut and pasted from websites, to make it look as though an email is internal when it isn’t. Another issue they are seeing is when employees are told their hard drives are full and need to input their credentials in order to increase the hard drive capacity. The worst instances, morally speaking, are when someone sends out an email purporting to be from the charity, pulling on the heartstrings of the user and asking for donations, benefitting financially while the charity loses out.

The importance of integrating new technology was previously raised frequently but there was resistance to change, until people were sitting in their living rooms accessing company networks and data. There is pressure on security teams to deliver as well as provide evidence of success, when good insightful metrics aren't always available.

However, security has been pushed up the agenda so much that there is major investment on the horizon and so he feels confident that things will get better and is hopeful some exciting new products will support teams like his to manage risk in the future.

Training

They've only recently made cybersecurity training mandatory, as part of the requirements for 'Cyber Essentials', which was annual, but will now be quarterly. He reports numerous issues in getting all employees to complete mandatory training, such as having access to the right system and whether the training is being delivered in the right language: a big issue when you are a global organization. As a charity, they have to be flexible and have a hybrid approach which includes offline and online content material, such as printed PowerPoint presentations. In these situations, they are heavily reliant on HR to deliver the training and provide the materials to employees. Encouragingly, they've been setting up specific training tailored for certain people, in addition to the generic training which he hopes will be useful to specific groups.

"It's easy for training content to quickly become out of date and irrelevant to current threats"

It's easy for training content to quickly become out of date and irrelevant to current threats and hard to keep it fresh and relevant, he states. As an organization they try to train people to develop good hygiene which can be useful for when at home and at work, rather than simply telling them what to do and actively seeks out our comms team and gets them involved to get the messaging right. They have an internal comms bulletin and try and time security pieces, so employees are not overloaded with information at busy times.

Fundamentally, he believes it's important to make training personal and relevant to their daly lives, including how to secure their children from cyber-attack at home. The key to success, Boris states, is to regularly talk about security through every channel, lunch and learn, so that it begins to 'bubble' in people's minds and, hopefully, when a situation arises, they will do the right thing.

He believes cultural changes take too long organically, and 'nudges' help to guide people along, in the right direction.

People, Behavior and Culture

The onboarding process, when new recruits join an organization, is now more efficient in terms of security training, in that new employees are immediately requested to undertake security awareness and data protection training before they are able to access the rest of the network, whereas previously they had three months to complete it, putting the organization at significant risk.

However, he reports that employees fail to see security as their problem and are not engaged with its importance or value. They only care that the machine in front of them works and that they can use their critical systems on a day-to-day basis. However, when they can't get access, then it becomes a problem, he claims. Boris thinks it's too early to tell if working from home has had an impact on employee behavior in terms of cyber and information security. He does however believe a security culture exists but that he can lead horses to water but can't make them drink. If employees are thinking at all about security when they go about their daily tasks then they are contributing to a good security culture, he states.

Perhaps, concerningly, there has in some areas of the business been a significant increase in the reporting of cyber issues. Organizations however need to be careful of incorrect reporting as to what an incident is and how to report it, as this can have a significant effect on security incident statistics. Their incidents hadn’t actually increased, it was simply that minor errors were being reported as major incidents.

Boris believes there to be a significant risk to employee wellbeing. Employees, including him, are struggling with the number of video meetings and the time taken to sit in front of a PC. He reports that boundaries between people are not respected with meetings being placed in people's diaries even without their knowledge. Boris adds that the additional stress that employees are experiencing at the moment is the biggest problem of all and severely affects motivation, both in terms of fulfilling the tasks of their job, but also additional tasks such as changing passwords and encrypting emails etc.

Another issue, he reports, is a distinctive shift to more micromanagement and less trust in employees being able to do their jobs, as a result of the move to remote working in response of the pandemic. He also believes it is easier for people to have perceptions that are not necessarily representative of the truth, as all conversations are formal and there are fewer opportunities to 'have a chat' and explain your perspective. Offering employees the opportunity to give feedback in a safe environment, which often depends on the management style of their line manager, is extremely important in understanding what the issues are.

Generally, Boris feels there is an increasing lack of flexibility in being trusted to do one's job with more focus on PowerPoint presentations, exacerbated by COVID and the transition to remote working.

Busy people are prone to attacks, he says, and also people who are in public and entering their credentials within sight of an attacker. Insider threat is a real problem for organizations, whether employees are opportunistic or intentionally committing fraud. As they are a charity, it is a little less likely that they will experience internal fraud, but, as mentioned previously, spoofing is a big problem where individuals pretend they are employees at the charity and ask for donations for their own benefit.

He notices a distinct lack of motivation with lazy attitudes to security. That's when the technical measures need to be robust, he states, especially when employees do not want to follow policy.

However, as they work for a charity, they all have a common goal and purpose to save the vulnerable and so it makes it easier to unite. He warns that one of the biggest problems he has seen is when organizations push the concept that 'security is everyone's responsibility' and then wonder why no individual takes responsibility as it is seen as a collective issue. Critically, individual employees must not over-rely on technology and are careful to recognize and report potential threats in order to protect themselves and the organization from harm.

What’s Hot on Infosecurity Magazine?