Information Health & Safety

It’s Monday and that can only mean one thing.? It’s time to share!!? Ok, it can mean other things, but just email me your date of birth and grandparents first names for no particular reason…? ???

While I love that you read my words in written form, as usual, if you would rather listen, in either of Canada’s official languages, click here: People Power Everything Podcast (Version Francophone)

At the end of last week, I saw a post on LinkedIn by a person who is a CISO (Chief Information Security Officer) joking about how he works with his wife and she clicked on a phishing simulation email. The title of the post was asking if he was a bad husband.?? She asked him if he could get her out of doing the awareness training.? To his credit, he didn’t.? Then, the rest of the post was about how funny it is that she clicks on all phishing attempts and QR codes.?? The comments on the post were all very positive and that he is a good, loving husband.? The post really upset me.? ?Probably more than it should have, but it did.? Maybe it should upset us all at least a little more.

I was upset because as someone who has worked in cyber security several years, I know that phishing is the single biggest risk to our information and systems security. The human is always the weakest link and where companies lose a lot of money needlessly.

For those who don’t know what phishing is, phishing is a type of cyber attack where a malicious actor attempts to deceive individuals into providing sensitive information, such as passwords, credit card numbers, or personal details. This is usually done by masquerading as a trustworthy entity in electronic communications, like emails, text messages, or websites.

Phishing attacks often involve the following techniques:

1. Fake Emails or Messages: Attackers send emails or messages that appear to be from reputable sources, like banks, social media platforms, or online services. These communications typically contain urgent requests or alarming information to prompt quick action.
2. Deceptive Links: These messages often contain links that appear legitimate but redirect the victim to fraudulent websites designed to steal information. The websites may mimic the appearance of real websites.
3. Malicious Attachments: Sometimes phishing emails include attachments that, when opened, install malware on the victim's device, allowing the attacker to gain access to sensitive data.
4. Impersonation: Attackers might pretend to be someone the victim knows, like a colleague or supervisor, to create a sense of familiarity and trust.

Phishing can lead to identity theft, financial loss, and unauthorized access to personal or corporate accounts.

Here is a real example: ??In October 2020, the STM (Société de Transport de Montréal) was victim of a cyber attack via a malicious attachment in an email.? One click cost over $2 million.? (Source: https://www.stm.info/en/press/news/2020/the-stm-completes-cyber-attack-investigation)?? ?“The attack occurred as a result of a phishing email, according to the STM -- an unsuspecting employee likely clicked on a link containing malicious malware, believed to be called RansomExx.”? (Source: https://montreal.ctvnews.ca/hackers-demanded-3-7-million-in-montreal-transit-authority-ransom-stm-says-it-won-t-pay-1.5166799).? Since, there have been technological solutions added to help avoid a recurrence of the same type of attack, but criminals continue to innovate.? Many people I know in cyber security say “it’s not if it will happen, it’s when”.?

And, the call might be coming from inside the house.? In 2019, Desjardins was the victim of data theft.? Personal data of 1.6 million people were stolen and sold.? The cause was that an employee with access to the data could not work on it easily in the secure location, so they moved it to a more open location where a marketing employee, who should not have had access, saw it was being deposited every month, so they just copied it month after month and sold it for 2 years before it was stopped.? The Information Privacy Commissioner (IPC) was scathing with Desjardins who didn’t do enough to protect the information.? It cost Desjardins many millions in reparations, but also in reputation.

So, why was I so upset at this seemingly innocuous post?? Because the tone was taking a very serious issue very lightly.? Perhaps that is a better way to approach it so we don’t freak people out, but from experience we need people to freak out more.? I have seen the approach of making people who fail the simulation do the training again.? People see it as a punishment to get through.? Part of the people will pass it and learn, but what about those that pass it and keep clicking, like the poster’s wife?? What do we do with those who put our personal and collective information at risk?? How do we limit the risk of people whose access could enable baddies to change bank account and payment information or siphon complete databases for stealing identities? The way I would like us to see it is as Information Health and Safety.? In the same way that we have very detailed policies and procedures about physical health and safety (mental H&S is another rant…), we should have the same with information.? For example, a new employee on a construction site shows up on day 1 without their steel toed boots or safety goggles.? What do you do?? Do you let him or her work anyway?? Never!? If that person does the same again and again, what happens?? That person doesn’t work and quickly becomes unemployed, no matter who their husband or wife is.? Why don’t we treat cyber security the same way?? It would be fairly easy to implement policies and procedures that include progressive help, training, and then discipline to those who fail simulations continuously.? Perhaps this already happens where you work.? If so, drop me a line as I would love to hear about it.

Now, I say that this would be easy to implement.? In writing and policy wise, it is very easy.? The hard part is that there needs to be a very broad base of support from leadership, and support teams like HR and IT.? The awareness campaign needs to be updated with a certain baseline of passable security.? Onboarding needs to be updated to highlight the importance of Information Health and Safety.? Our teams, everyone, need to be very aware of the reasons and impacts of failing the simulations, and the potential risks of not passing.? Just like a falling brick on a work site can injure or kill someone if they aren’t wearing their hard hat, the impact of a cyber incident should be discussed out in the open.? There are many examples available.? Most people want to be safe and help each other see the deviousness in simulations, which helps with real situations.? The main point in all the change management that would be needed is that the tone needs to be helpful and supportive.? The goal is not to fire people who don’t comply. It is to help those very same people realize the risk they are taking at work, and inevitably at home, with all our information.? But, there does need to be a point at which dismissal is considered.? If the person you hired in Finance has access to all the company information and keeps clicking on simulations, it won’t be long before they click on something real the and the company loses a lot of money.? I don’t know about you, but that is unacceptable to me.

I have had the experience of leading teams that do phishing awareness campaigns and saw first- hand how failures can be handled.? They can easily become an exercise in shaming, which is counterproductive to say the least.? If people fail, we need to help them understand better and share that information with others.? The campaigns I loved the most were those when we caught more people because we made it harder.? The people inevitably started telling each other about the campaigns and to be careful.? We applauded the communications and gave immediate support to those who failed.? Yes, taking the training again is a good thing, but it was the additional support and communication, sometimes one-on-one, that really helped.? Everyone gets caught at some point, and I mean everyone.? It doesn’t matter how technical a person is or how much they know.? All it takes is being distracted for just a moment and the phishing email resembling something we might be expecting that day, so we click.? I have seen cyber security analysts get caught.? I have seen systems reliability engineers get caught.? I have seen IT Directors get caught (me included).? When that happens, we need to underscore the learning potential, especially in sharing the information.? I told my team I got caught and I owned it.? It hasn’t happened again, but it will and I hope I will have the courage to learn and to share so others can feel ok with failure.

You might be shaking your head now and thinking “didn’t you say we need to treat this seriously?? Shouldn’t we be punishing people?”.? The answer to both those questions is “Yes, but context is key.”.? The target of my missive today are the people who continuously fail and keep clicking.? That is a critical information health and safety issue.? At what point can we call our organization safe from cyber threats when we tolerate the uber-clickers.? In my mind, they are the same as the folks on the job site who refuse to wear PPE (Personal Protective Equipment).? We need to find a way to take them off the job until they know how to be secure.? This could be by severely limiting their accesses, providing training, following up with HR and their leader, progressive discipline and up to dismissal if they can’t pass minimum requirements.? The latter may sound harsh, but how far are we willing to let others risk our information health and safety?? We need to realize that entire organizations rely on information systems to function, and their security is paramount.? Having worked in risk management and with cyber security insurance, there is a cost to not being secure that goes beyond the potential of losing information.? There is great risk to systems being available at all.? Entire companies grinding to a halt because someone clicked on a link or opened an attachment they shouldn’t have.?

In the end, we need to be vigilant and help everyone gain the knowledge to not fall for modern day conmen.? The people who know, or don’t, will put us at risk or make us safe.? Together, we can help each other and be there to teach, learn and support.? After all, People Power, and click, Everything.?

John

PS: If you like these, feel free to forward and encourage your friends, family, neighbours, colleagues, leaders, staff, and even mortal enemies to sign up to THE LIST and subscribe to the People Power Everything Podcast which has bonus material from time to time.

?

From Of Truth, an essay by Francis Bacon written in 1625:

Doth any man doubt that if there were taken out of men’s minds vain opinions, flattering hopes, false valuations, imaginations as one would, and the like, but it would leave the minds of a number of men poor shrunken things, full of melancholy and indisposition, and unpleasing to themselves?