We doubt it, he probably just needs some awareness training
You’ve probably heard about Jeff Bezos’ personal and sensitive media being bandied about by the National Enquirer. No need for us to dwell on that, or comment on the US political machinations that could be behind it.
Instead, prompted by an article by Rory Cellan-Jones of the BBC we thought we would explore his headline: “Was Bezos the weak-link in cyber security?” The premise being that even someone with all his resources can have their data breached due to user incompetence. Unfortunately, as with a lot of commentary on the human element of information security, the article does fall victim to reciting some of the usual tired old chestnuts with talk of users being ‘idiotic’ and the ‘weakest link’. But was this the case in the Bezos hack?
We don’t see it that way, rather than admonishing the user and calling them names we feel the focus should be on the senior managers who don’t see the rather obvious benefit of instilling a culture of information security awareness, seeing the users in a positive light as the ‘First Responders’ in the event of a malicious intrusion rather than the suckers who got conned. (Obviously in the case of JB he is the most senior of senior managers, but you get the point…)
First responders in emergencies are those that arrive at the scene of an incident, assess the immediate medical priorities, apply necessary first aid and co-ordinate further, more specialised assistance and transportation. So then, imagine a first responder working in an office, behind a screen. A malicious, malware ridden email comes in, they spot it, isolate it, neutralise it and then forward it on to the appropriate IT security resource for further in-depth investigation and remediation. That same person, when a Spear Phishing email arrives in their inbox is able to spot the inconsistencies, possibly see that the address has been spoofed but, in any event, can fall back on their company’s forward thinking policy that dictates that certain protocols must be followed before any funds are transferred, thus stopping a costly and embarrassing theft of company money.
Now imagine that the first responder I’m talking about isn’t just one member of your staff, it’s all of them – the whole workforce. That’s all your staff on the look out for emails of ill intent. All your staff making sure that person wandering around the office without a pass is authorised to be there. All your staff following correct information security procedures.
Now imagine how secure your workplace has just become. …Feels good, doesn’t it?
Well, what you’re imagining is what an organisation that has implemented a comprehensive information security awareness programme looks like.
You might think we go on about this a lot. And you’d be right, we do – because we know it works and because we know our programme delivers measurable information security risk management improvement year on year. We still call it eRiskology™ and we’d still like to talk to you about it.
By the way, full disclosure; the idea of users being referred to as a ‘First Responders’ isn’t (unfortunately for me) something that I came up with. We heard our friend, Aleš Zupan, Owner and Principle Consultant of BrightStar Consulting use it in an excellent presentation he gave at ISACA CSX in London last year, and we liked it a lot.