Celebration Time Oh No!

Brian Fajardo -

A company just raised $200M in funding. The news is shared, and everyone is excited about the growth the company is experiencing. Someone suggests having a party to celebrate at a rooftop somewhere in the city where the company is located. The party is scheduled with the name of the venue, address, and date and time shared to all in the company. Lastly the food and drinks at the venue are also shared. Everyone who wishes to attend the party heads out early out the office to celebrate. It is the next day and everything seems to be going well. No alerts or anything critical that I need to work on. Who doesn't like these types of relaxed days?! But then I forget something. I can never feel relaxed when I know deep down inside that although information security is everyone’s responsibility, a fundamental principle of information security is that all individuals in the organization have a responsibility for the security and protection of company information and IT resources over which they have control, according to their role. Then I realize that my job is much harder because I need to be realistic and assume upfront that not EVERYONE will share this fundamental principle and hold true to it. This is why not only I love my profession, but I also encourage others to understand the benefits of following proper information security principles especially when I relate it to their respective role. But what happens when the problem does not lie within the individual but the company itself? How do we tackle this challenging problem?

Tackling the Root of the Problem - Culture

Culture is everything at a company. It is often one of the most overused words too when explaining the purpose of why a company exists. Culture this culture that. However we cannot push culture to the side and think of it as a minor impediment, when in fact it is the root of where a bunch of problems could originate from. When we mention problems, we aren't just talking about information security related problems. We are actually talking about every other problem too, that a company can experience like financial instability, turnover, poor leadership, the list goes on. What I am trying to get at is if a company's culture is not aligned with the values of the company, then it will not only reflect a very poor image but also it will begin to lead others to a path of wrongdoing. This is why you need to tackle culture first. Identify the values your organization stands behind, and make sure that those values are well-represented in the security program of the organization. Without embracing this principle and taking action, you are going to grow more problems. A CISO or someone in a similar role, should be able to clearly communicate with the CEO to ensure that embracing good cyber hygiene and making it part of the company's overall culture, will reap substantial benefits and ultimately allow the company to secure and experience more success down the road. Let's now go into detail on an experience I had that resulted from an ineffective culture.

Lost or Stolen Device - An Inevitable Problem

I had to learn the hard way that a device, specifically a laptop, is bound to get lost or stolen. It must have happened a total of six times at a former company I worked for. The good thing worth mentioning is that it was not recurring. Why do I say this? When something is recurring, it can build up risk. The more risk you build up, the more potential for there to be lost, damaged, or destroyed assets. For example, a device or in this case an asset can be at risk when the disk is not fully encrypted. A device/asset can also be at risk when the employee does not lock their device. Although many organizations now use special software like MDM (Mobile Device Management) or even GPO (Group Policy Object) in a Windows domain environment to enforce screen lock policies, such policies can be tweaked to a level where risk is still high especially when your policies favor more usability and performance than security. This is why you need to find a balance to ensure that you're still combating risk. Testing and gaining feedback from those select users from a group you tested on is beneficial. However remember that security is a team sport and if one person is not being a team player, then the whole team is affected. The same can be said when you have that one really good player on a team, and everyone expects that player to carry the team when in reality one person does not make the team. The experience I had one time was when someone had personally slacked me about losing their work laptop at a company party. The laptop was encrypted, but it was not appearing online to geolocate it. The individual had informed me of the last location of the device and they told me that they had no customer PII on the laptop. I informed InfoSec right away, as well as HR because we learned a few hours later that another employee had also lost their laptop. Why was HR informed if no customer PII was involved? This is something that I actually made the decision myself without consulting with InfoSec first because of several reasons:

  • Since there was alcohol available at the party, we need to assume that many people got drunk and many of those people who were drunk had brought their work laptop because the event was scheduled shortly after work so not many went home to safely store away their belongings and work laptop which could have resulted in more lost/stolen laptops that we're unaware of.
  • A manager from another team had informed a former manager of mine that their direct report did not know where their laptop was so they requested another laptop so they could work. What happened to this person's laptop and why did you take so long to tell us of this?!
  • All of this was of course post party. So this is why I made the decision to also get HR involved as they are just as responsible to ensure employees are handling themselves in a manner that is not reckless endangering the company in a negligent manner.

No company-wide email was sent following this really bad experience which thankfully in the end I was able to locate the laptop with the employee after asking the employee various questions. I even got them a chocolate bar since they were really nice being polite with me, and they even apologized and knew that they had caused more work for my entire team. The company wide email I would have liked to have been sent out from both InfoSec and HR teams, would be something along the lines of being responsible with company property to reduce risk, and that any future parties would be scheduled within a time that allows employees to go home to safely store their work laptops away. I think this is both simple, yet raises awareness about the potential risks involved with someone losing or getting their laptop stolen since the company had already experienced it before.

Good Cyber Hygiene Makes Everyone Happy

Practicing good cyber hygiene both in the good times and bad times a company goes through is a must. It is non negotiable, every company in the world needs to realize that cyber security has massive value when it comes down to securing a successful future for your company. Nobody wants to harm their company reputation regardless whether your company has ever been breached or not. If a company's culture values cyber security and it cherishes it to a level where it is part of an ongoing conversation on how you can keep up being resilient and most importantly proactive when an incident does occur, then this company has an effective culture that embraces good cyber hygiene!