The greatest threat to your organisation’s cybersecurity could be sharing your bed. Although it’s unlikely that your spouse, relative, or other loved ones are actually underworld masterminds, cybercriminals are increasingly using them to compromise corporate data and networks. We tend to lower our guard when interacting with people we trust, and cybercriminals don’t hesitate to exploit this with a range of phishing and social engineering scams that imitate our loved ones or use them as proxies for attacks.
How can we stop our families and friends being used against us? Nothing, but constant vigilance will do. Of course, we have a range of technologies that can lessen the effectiveness of such attacks, but the only way to really stay safe is to raise our alertness in all corporate IT settings. We can’t afford to give our wives, husbands, kids, and uncles-twice-removed a free pass when it comes to cybersecurity. Instead, we need to take a better safe than sorry approach to phishing threats.
My wife, the Decepticon
If I receive an email from my wife’s personal mailbox, particularly if it’s been sent to my SolarWinds address, I’ll scan it, avoid any links, and even text her to see if it’s really from her. She’s a software architect, so she understands that my behaviour isn’t a sign of trust issues in our relationship, but trust issues with the digital world more generally. We see a range of increasingly elaborate attacks within our organisation that rely on personal connections forwarding you poisoned emails, from fake utility bills to “important” documents addressed to your name but ostensibly sent to the wrong person.
The same applies to a range of other channels aside from email, particularly for those of us working in a BYOD workplace. BYOD environments are rarely as secure or containerised as the market touts them to be, and clicking a link sent through our standard personal channels – Facebook, WhatsApp, and so on – can quite easily result in our device, and the corporate data residing on it, being compromised. We often don’t pay sufficient attention to these channels and how they, as well as email, can open up corporate IT infrastructure to attack.
Most employees aren’t as paranoid (perhaps as security wise) as me and my esteemed Head Geek colleagues. With the ties between work and social life blurring, they typically see nothing wrong with emailing their friends using their work emails, posting up extensive personal histories on Facebook, or letting their loved ones – especially kids and parents, both of whom tend to be far less security-savvy – use their devices for all sorts of purposes. All these behaviours open them and their organisations up to cybercriminals looking to prey on our personal connections.
When we blindly trust what we give to or receive from our closest friends and family, we make ourselves very vulnerable to cyber-attack. Should we cut our ties and go full Luddite? Maybe – a world without push-notifications would be peaceful indeed – but it wouldn’t solve the problem. We need to take a mature, open approach to the cybersecurity risks we face from our loved ones and those who would take advantage of them.
Prime your awareness
The optimal solution to these threats is a change of mindset. Educate employees about the risks of blindly clicking links from loved ones; run penetration tests to highlight their emotional blind-spots; and practise what you preach at an executive level. If leaders model the right vigilance, and if IT constantly updates people on threats they’ve encountered, they can instil a culture of alertness in all situations, on all devices.
Technology obviously plays a role in responding to these threats, but IT policymakers should aver from any heavy-handed impulses. Endpoint monitoring, mobile device management, and anti-phishing platforms can stop threats reaching sensitive data or functionality when someone inevitably makes an error of judgement.
We should continue to invest in these platforms, particularly those that operate invisibly to keep us secure. Sandboxing all email links regardless of sender, for example, can ensure that even the most sophisticated or emotionally-laden phishing threats don’t lead users to malware payloads. But banning messages from free email domains, or curtailing the use of social media in the workplace, is likely to drive employees to other less-policed channels – and nobody wants any more shadows in the land of IT. What’s important to remember is the more visibility you have in to your environment, the more confident you will be in your ability to protect your organisation against these negative consequences.
Ultimately, we need to build a culture of responsibility for digital security, one which encompasses all employees as well as their loved ones. Employees should be held accountable if their negligence leads to a breach, and saying “my wife sent me the email” shouldn’t hold up as a valid defence. But IT also has a responsibility to train, inform, and update employees on the threats they face and the warning signs to look out for.
Most of all, we should make our digital habits – and their potential risks – a conversation topic with our spouses, families, and close friends with whom we communicate the most. Clear, transparent communication makes for less likelihood of being duped by phishers – and, according to my wife, for better relationships in general.