The workers in Telstra’s mailroom knew something was strange when the room was clogged with workers asking for the packages they had been sent.
There were no packages waiting for the employees, who had received a phishing email encouraging them to click to track an incoming package. The message did not say that it was in the mailroom – but when the workers decided to get proactive rather than click the email, the mailroom got crowded quickly.
Puzzled calls by mailroom staff eventually revealed the source of the confusion: the IT-security team had been proactively phishing the employees, testing to see whether they would click on a message notifying them of an impending delivery.
But nobody predicted the action many employees would take – and this, Telstra head of cyber security Jacqui McNamara told a capacity crowd at this week’s CSO-Kaspersky Lab Cyber Insights event, highlights the universal problem that security executives face in teaching people to be secure.
“What we’ve found is that everything comes down to humans in the end,” she said. “We keep trying to take humans out of the picture, but humans are unreliable.”
“We are training our teams in intelligence tactics, techniques, and procedures – and while we have all the technology you can think about, what we’ve always come back to is human intelligence gathering. Without having that function, you really can’t get a handle on the unknown unknowns – and they’re the ones that cause most of the problems.”
Tracking down ‘unknown unknowns’ is a continuous effort in a company the size of Telstra, whose tens of thousands of employees each present a different combination of potential security benefits and challenges.
To overcome the issues around human fallibility, security managers need to remember that well-trained users can be a major help in improving overall security posture.
“They may utilise devices and information, access data sources and bring devices to install shadow IT,” she said, “but it can also make your life easier if those users are educated and aware.”
The same goes for partners and suppliers, she added, with many entrusted to access credentials and security executives needing to evaluate those suppliers own internal security policies and procedures.
Telstra handles this during supplier on boarding as “reinforced authentication”, McNamara said, to ensure that suppliers have been appropriately vetted and remain part of the ongoing security defence.
Employees were a significant part of this defence – particularly those who work in other areas of the business and had embrace solutions like recently-compromised recruitment firm PageUp, which affected Telstra.
To avoid unexpected damage from such incidents, security executives needed to reach out across both business and IT to ensure that business units amassing data do so safely and carefully.
“Sometimes people are putting information into supply chain systems but haven’t really understood the security implications for the data,” she explained, “and marketing, for example, collect enormous amounts of data. Helping them understand the security implications of the actions they take is really important.”
A surprise package
Sometimes, though, even the most proactive organisation can catch itself out – as happened with the mailroom example, when Telstra’s Cyber Influence team sent out a well-meaning phishing email and numerous staff ended up storming the mailroom in a totally unexpected consequence.
“That was a lesson for us,” McNamara laughed. “We had to think, as we did our phishing campaigns, about how to avoid the impact on other staff who were just trying to do their jobs.”
And while proactive testing was important in engaging with staff about security, security teams also have to be careful not to let the pendulum swing too far the other way. If staff get too nervous about cyber threats, productivity may suffer – and security teams may be swamped with enquiries or suspect emails forwarded from well-meaning but spooked employees.
“We need to shift the way we think about [engaging with staff],” she explained. “We are creating a little bit of analysis paralysis and fear in the system.
“And we need to somehow raise awareness of cybersecurity in our user base without making everyone terrified to click on things – or crippling the business when they constantly call IT. We have to stop everyone from panicking and get them to calmly focus on what they’re doing.”