Lost in Translation: Speaking the Same Cybersecurity Language in Your Office by Pauline Farris

According to most of those “in the know,” the most common causes of data breaches are employee activity on company systems (either on work computers or BYOD), backdoors through downloads, and lack of security on the part of third-party vendors. And stats from the first half of 2018 show that there was a total of 658 cyber attacks reported by large enterprises. This does not include those smaller breaches that are never publicly reported, of which there are huge numbers. Smaller organizations may notify their customers/clients but not the “whole world.”

Clearly, there is work to be done. And as hackers become more sophisticated, the measures that must be taken to monitor, detect, and take action when threats occur must become more sophisticated too.

But the IT department can’t do it all. If you are a member of an IT department, or a security consultant, you know this. Getting everyone involved and up-to-speed is critical but certainly not easy. Upper management does not lose sleep at night worrying about security risks as you do. They only panic once there is a breach and all hell breaks loose. And then, the blame falls on you and your team.

What to do?

You and your team are, after all, supposed to be the experts. But you don’t have to be “experts” to take the initiative and educate the entire organization. You can reduce the “tech jargon,” take it down to their level, and ensure that they understand the risks involved and what they must do.

Benefits of in-house cybersecurity

You know what they are. When everyone is on the same page, and when they understand the risks and what they must do to protect the entire organization, they will get on board.

And this will make your job easier. There will be “tight” passwords. There will be controls on accessing company systems with BYOD devices; there will be the correct restrictions on personal use of company computers; downloads can be blocked until they are evaluated.

The one issue that may be out of control is that of third-party vendors and the security measures that they have (or not). This is an issue that your department will have to address.

How to educate the rest of the organization

The other staff members of the organization need to understand the risks and be brought up to speed on their part in maintaining security.

Here are the steps you must take.

• Begin with the consequences of a security breach

Unless the entire staff, including upper management, understands the devastation that a security breach can cause, you will never get them on board with the measures that must be taken to avoid one.

Everyone has heard about the big breaches like Target and Experian. But they have not heard about the breaches that small to mid-sized companies have endured.

According to a report by Travelers Insurance, at least 62% of security breaches occur with these organizations – small financial firms, insurance companies, retailers, medical practices, etc. The reason? Smaller firms generally have less stringent security measures in place and yet hold enough personal information to make identity theft lucrative or to hold that information hostage. According to this report, there are as many as 34,500 security incidents per day in the U.S. alone.

An additional problem for smaller companies is that they do not have the forensics teams to investigate, a PR department to handle the reputation issues, or the customer service staff to handle all of the customer fallout. The cost is not just in dollars; the cost is with reputation. When customers/clients are lost, the company can falter badly, if not fail.  If only for their own job security, employees should sit up and take notice.

It is wise, as staff is educated, to provide specific examples of breaches in the same or similar niches and the disastrous consequences that resulted.

• The principles of social proof

Staff needs to be aware of their social media presences and their activity on those platforms, especially on devices that are connected in any way to company systems. Their personal email accounts can also be easy prey.

Hackers are great persuaders. And if they give away something free, or even promise something in exchange for any personal information, humans tend to want to reciprocate. It’s known as social proof – we behave in a manner that we consider socially correct, and we expect others to do so as well. So, on a social media platform, we might accept a friend request, and we expect that individual to be as honest and ethical as we are. Hackers develop great online profiles.

Humans also tend to want to cooperate with those they consider to be in positions of authority. When someone expertly poses as an authority figure, the socially acceptable behavior is to do as they ask.

Scarcity is another common psychological trick used by hackers in phishing emails. We tend to want to get on board before it’s too late.

• Proper data handling

Data has a variety of levels of sensitivity; with that comes a variety of security measures to put into place. Staff needs to understand those levels and the extent of their participation in this protection. And they need to understand how the IT department is handling all data with the following procedures:

• Managing access rights. Obviously, data that is public knowledge needs no security in place. However, proprietary data, personal information of customers/clients, and financial information of customers or vendors do require security. And in the case of information such as patient records, the stakes are high as well. Such information may be encrypted when accessed by out-of-house devices and require a more stringent access process. One of the biggest threats relates to devices that are lost or stolen.
• Virus protection will be in place and regularly updated.
• There will be blocks placed on access of personal social media pages and email accounts on company hardware.
• There will be correct data removal from hardware that is to be discarded. NO staff member may be individually responsible for such data removal.
• Remote access to company data will be monitored.
• All data entered will be date and time stamped, so that any change will be discovered and investigated.

• Password and login protocols

There are a number of ways for logins and passwords to be cracked, and common number and word combinations are perfect targets. There are tools that hackers use, such as John the Ripper, which make cracking passwords effortless.

The same goes for security questions. Clicking on “forgot password” often takes users to security questions. The answer to many people’s security questions can often be found on their social media platforms. In fact, during the 2008 election, this was how Sarah Palin’s Yahoo account was hacked.

Provide tips for staff in choosing their passwords and inform them that weak passwords will not be allowed on any access to company data, nor may their company password(s) be used for any other accounts. Given these suggestions, strongly urge them to take these tips into account for their personal account passwords as well.

1. They must always log off if they leave their workstations or remote devices alone.
2. Obviously, never enter passwords on computers or on public Wi-Fi networks.
3. Passwords will be changed periodically.
4. All passwords must include a combination of upper and lowercase letters, numbers and symbols – the more the better.
5. Make passwords that are easy for you to remember but hard for anyone or any tool to guess. MacAfee provides an example - Iam:)2b29! (I am happy to be 29).
6. Passwords for company access will be encrypted and controlled by a password manager and must be approved.

• Incognito web browsing

Savvy web users may know how to set their browsers in “Incognito mode,” to prevent the storage of browsing history. Attempting to use a company computer for personal use by moving into this mode should be grounds for dismissal if restrictions are in company policy. The reason? Private browsing is not completely anonymous.

Monitoring software, such as keyloggers, can be installed on any device. Many companies have such software on their in-house devices or on company-issued mobile devices. In fact, such issued devices are standard protocol in organizations that have highly sensitive data that must be protected above all else. When remote workers are all over the globe, this can become even more of an issue, especially when team members’ native languages are foreign.

• Consultants – Showcase your software to the IT department and upper management

If you are a consultant, obviously a demonstration of your software or software recommendations is in order. It will be important that the decision-makers are present.

If you are an in-house IT employee charged with updating your security systems, then a lot of research will be involved to ensure that any software package you recommend for purchase covers all organizational needs. This may also include some coursework, such as that offered by Hakin9.org, an organization focused on security, through publications and online resources/workshops. The key will be to stay current and to let your security systems evolve as the technology does.

Conclusion

Data security is clearly the biggest challenge that companies face in this dangerous environment of cybercrime. Breaches are costly in both dollars and reputation and can bring a smaller company to its knees. The most current knowledge and tools are simply not an option.

On the Web

There is no lack of resources available to those who are just dipping their toes into cybersecurity and to those who have been involved in it for some time.

For beginners, InfoSec Institute provides several free learning resources

For companies that work with remote workers globally, the translation agency, The Word Point, can provide expertise in translating security policies to natives of other countries.

For examples of data breaches that have hit small to mid-sized organizations, check out Property Casualty 360.

References

• https://www.darkreading.com/attacks-breaches/the-eight-most-common-causes-of-data-breaches/d/d-id/1139795
• https://revisionlegal.com/data-breach/2018-statistics/
• https://www.propertycasualty360.com/2015/05/27/small-mid-sized-businesses-hit-by-62-of-all-cyber/
• https://blogs.elon.edu/technology/what-makes-us-vulnerable-to-data-breaches-cathy-hubbs-tells-all/
• https://securingtomorrow.mcafee.com/consumer/family-safety/15-tips-to-better-password-security/
• https://www.computerhope.com/jargon/i/incognito.htm

About the Author:

Pauline speaks Portuguese, English, Spanish and Italian and currently she works as a
translator at translation service TheWordPoint. She travelled the world to immerse herself in the new cultures and learn languages. Today she is proud to be a voting member of the American Translators Association and an active participant of the Leadership Council of its Portuguese Language Division.