IT World Canada: Cyber Security Awareness Month: What to do if staff demand a risky service
Awareness training is on the minds of many infosec leaders in the past four weeks thanks to the annual Cyber Security Awareness Month campaigns across the country.
But while much of the advice deals with ways of getting employees to sharpen their senses, there’s little help dealing with the few on staff who insist clicking on every link or attachment is necessary to do their job.
In those cases, says Bob Steadman, vice-president of security and compliance consulting at the Herjavec Group, which has offices in four provinces, the CISO has to start asking questions.
“I was in charge of security and privacy compliance at Loblaw,” he recalled in an interview. “At one time they were hiring 100 university or college graduates every six months, all millennials so there was an order to open up to Facebook, Twitter and other social media.”
Social media can be problematic: Staff post messages that can be read around the world that may damage the company’s reputation, and attackers can use the sites as another way to send malicious links nad attachments.
“I called a meeting and asked, ‘What’s the business need? There’s lots of wants out there, but what’s the business requirement?’ In this case it was to share things from one person to another. So I said, ‘Ok, there’s corporate email,’ and they said ‘They need to share documents.’, and I said ‘OK, we’ve got Sharepoint.’ Well, that wasn’t good enough. Eventually the CEO signed off and said, ‘We need this.’ Now the next thing is how do you secure it.
“The point is, is it a real business requirement that there isn’t some other solution for? And if it is truly a need that has to be fulfilled, then you have to find a way to secure it. The whole thing about information security is it’s a very delicate balancing act of not impeding the business but securing and controlling it to mitigate risks.”
Originally posted on itworldcanada.com
About Herjavec Group
Dynamic IT entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. Herjavec Group delivers SOC 2 Type 2 certified managed security services supported by state-of-the-art, PCI compliant, Security Operations Centers, operated 24/7/365 by certified security professionals. This expertise is coupled with leadership positions across a wide range of functions including consulting, professional services & incident response. Herjavec Group has offices globally including across the United States, the United Kingdom, and Canada. For more information, visit www.herjavecgroup.com.