By David Wilson, Facility Security Officer and IT Manager
Identity theft is a serious problem for everyone, but an aspect that we often overlook is its impact on corporate security. In most scenarios, be it an insider threat type of breach or a cyber-intrusion of one flavor or another, the weak link in the security chain is personnel. Effective training and modified habits and behaviors are difficult to achieve and maintain, and with the ever-widening net of adversarial activity closing in, the complexity increases almost daily.
A company’s best defense is to support and defend its employees. Say, as an example, one of your accountants has their identity stolen. They will likely have a cell phone, a home computer, and passwords on various sites that could be hacked in a variety of ways if not protected properly. In this example, a number of aspects of that employee’s identity are risk factors in considering corporate security. They might introduce a virus into your network. They might provide access to your e-mail through their phone or home computer. They might use the same passwords for a variety of accounts, including the one to access your network. They may have saved their login information for your VPN. If enough pressure can be brought to bear on a person by any outside threat, either financially, using private information, or threats to their family or livelihood, then that pressure can also be applied to that employee’s business.
At VectorCSP, we strive to keep our employees aware of these types of threats through intermittent e-mail reminders and tips. We are careful to encrypt or password-protect any correspondence containing Personally Identifiable Information (PII) and raise awareness of potential threats through training. Traditional training can be too cookie-cutter and is often difficult to present in a dynamic fashion, but personal notes and e-mails with identifiable threats and safeguards – in short doses – can make a huge difference.
It is no longer adequate to check off boxes on a list and call things secure. An active program for training employees in how to keep their homes, personal devices, and their identities safe is a positive step toward eliminating risk. If you use particular methods and products in your corporate environment, suggest that employees use those same methods and products at home, when applicable. We are standing up an Employee Intranet and portal, and the first post in our security blog there covers the reasons why the company stepped away from the use of Kaspersky antivirus products, explains what we shifted to, and why. Most software companies providing services like antivirus protection will partner to offer employees a discount on their product. Let your people know that you will help them in any way that you can, and that they should not be afraid to ask for that help. Their fear of reprisal can often prevent early warning in some security breaches.
Use your corporate social media practices to train employees in securing their own accounts. Talk about how you protect information and share lessons learned through e-mail notes and newsletters. If threats are detected, explain how you identified them, and what you did to neutralize or remove them. Keep individuals involved in the bigger security picture. Make their security your priority, and over time, that investment will strengthen your own.
A wall is only as strong as its weakest point, and a net with holes in it won’t catch many fish. There are millions of threats out there trying daily to steal your accounts, your passwords, your access, your money, and your identity.