What did you just dump?

Imagine finishing a delicious cup of coffee and availing yourself of the facilities in your workplace, and on the door of said restroom you notice an educational message from your cyber security team: "what did you just dump?"

For context, there is an accompanying photo of a waste paper basket showing discarded papers with credit card numbers, expiry dates and CVVs clearly visible. Simple message; think about what you throw in the trash and ensure you shred confidential and/or personally identifiable information, however it's delivered in a way that you'll probably never forget!

This didn't actually happen. My mentor suggested it but management shut it down, thinking that it would not resonate with the conservative nature of the organisation we worked for. However I'm sure you get the point - and with a creative mind, you can come up with one or many ideas of your own to educate those in your workplace about cyber security risk management. Remember, you don't have to be a cyber security expert to do this, you just have to take the resources available and contextualise them for your workplace.

In my last blog just before my coffee ran out, I started to give an example of how a cyber security expert might do this. Through research, we found that a specific threat exists: a particular type of malicious software is stealing passwords from millions of people around the world. We also know that people tend to reuse passwords, so with all this password-stealing going on there's an increased risk that our organisation might be breached by attackers. So, we might run an education campaign about password security and the wonders of multi factor authentication to mitigate that risk... Although who'd listen to that? Those messages are about 20 years old now!

Instead, what about running a campaign on that topic, making it about social media, banking, eBay and PayPal passwords? Sure it's not related directly to our workplace, but remember the piece of the puzzle I mentioned above: people often reuse passwords. It's very likely for people's Instagram and corporate email passwords to be the same. So indirectly by teaching people to secure their personal digital lives, our corporate environment becomes safer. People are more likely to listen to our messages, if they're presented with creativity and are relevant to them.

That's what I'd do, and have done in many organisations over the years. I once needed to deliver a message to an audience of over a thousand medical professionals about the shortcomings of email, especially that emails can easily be faked. Rather than explain how SMTP servers which don't implement one or more of the modern security measures such as DMARC are susceptible to email forgery, I told a story. The organisation I was working for at the time was just beginning its social media journey, and to seed the development of followers, it asked all of its employees to "like" their page and spread the word to their families and friends. I dropped a link into an email and blasted it to about 20 friends and family, and most of them blindly clicked on the link and "liked" the organisation's page. 

Not my mother. She emailed back with "my son told me not to trust emails, this looks like a scam!" I was busy at work so I emailed back saying "it's ok, it's me", but of course that wasn't good enough for her. She emailed "ok then, if you are Mike, what was the name of our 2nd cat?" All of this was met with raucous laughter from the audience of doctors and nurses, and I'll bet they didn't forget that story or the message behind it.

I'd go a step further in this case too, considering that an attacker might target high profile individuals such as the company CEO after finding their compromised Facebook or PayPal accounts. I'd expect the attacker to try the same password on the company's remote login or email system, so I'd talk to my management about the best way to deliver that message to the board, CEO or relevant high-ups, to ensure they're prepared.

As I said above, you don't have to be a cyber security expert to do this. Many organisations now employ individuals in the cyber security department who are deliberately NOT cyber sec experts, but are experts in communication or writing, for example. The Government's Scamwatch website is designed to provide up to date information for businesses and individuals about cyber threats, so have a look at it from time to time and see how these might become risks in your organisation, and start dreaming up creative ways of delivering those messages!

If you can do all that, you've arguably started the NIST CSF process by:
1. Deciding your organisation's cyber security security risk management strategy (govern)
2. Understanding your risks (identify)
3. Taking steps to secure your environment (protect).

...sure it's slightly more complicated than that, but that's the basics, and shouldn't we at least strive for that?