Cyber Security: How to Get Employees Involved
This post is also available in: 
עברית (Hebrew)
By Uri Shapira
The story of the four sons: Hackers get more and more advanced, exploiting employees through a variety of sophisticated methods. Many hackers have managed to infiltrate organizational networks by exploiting employees’ lack of cyber-security awareness, naivety and tendency to overlook smaller details. For example: A mail supposedly sent by the company CEO, requesting personal details, credit card numbers and passwords for clients might seem authentic if you’re not experienced enough in cyber-etiquette. Hackers know this very well.
Employee awareness is a critical element in an organization’s ability to defend itself from cyber attacks and loss of sensitive information. Many organizations face the challenge of presenting this issue to employees, but most of the time the process is a complete failure: The organization can’t get workers motivated while workers can’t figure out why information security has anything to do with them.
The Passover holiday might help us understand a thing or two about transferring information, because at its core the holiday is about retelling the story of the Exodus, transferring the knowledge from older generations to younger ones. Most of the Haggadah deals with telling the story itself, but between the lines we can find a kind of “instruction manual” – how to tell the story. This secret is especially noticeable during the discussion on the four sons: The Haggadah explicitly recommends ways of dealing with different types of sons – or students.
The wise son – technical teams
The wise son asks about the testimonies, the statutes and the ordinances. The wise son can be equated to technically-oriented employees, such as members of the technical team, who have considerable experience in information security. When addressing this type of employee you have to be practical. These workers should be made aware of the finer points, or made a part of the whole process. In the Haggadah, the wise son gets a practical answer. These employees should be provided with detailed explanations, practices, causes and effects, in addition to keeping them updated as things progress.
iHLS – Israel Homeland Security
The wicked son – management
The wicked son doesn’t views himself as separate from the rest of the family. He represents employees who ask for special exemptions. They don’t realize that they have to participate in the efforts just as much as anybody else. In many cases these are, surprisingly enough, employees at the managerial level. As is the case in the Haggadah, we have to make it clear to them that loss of sensitive information hurts the entire organization and demonstrate how attacks occur in practice. Companies specializing in information security help organizations assess their levels of security and employee response by conducting infiltration tests. No employee can remain indifferent when they realize their computer is being hacked.
The simple son – the silent majority
The simple son asks “what is this?” This son is a blank slate, representing most of the employees. He doesn’t oppose information security nor supports it. As the elders of the Haggadah recommend, we have to give him a shortened version, the main details that he has to be aware of. The best solution when it comes to most employees is giving them a clear list of procedures they can follow without too much effort, thus participating in the organization’s information security policy.
The son who doesn’t know how to ask – the remaining minority
The elders, at this point, say that the responsibility rests on the shoulders of the father – not on the son. He should actively explain the exodus to the son who doesn’t ask, and so it is in the case of information security as well. We have to make sure that this issue isn’t forgotten during daily routine, run periodic training sessions for employees and discuss theoretical and practical issues with them.
It’s very easy to neglect the issue of employee awareness and hold technical teams responsible for everything. Employees, though, are the ones who constantly access the organization’s data, use it, modify it and transfer it. For this reason we have to find a way to improve their information security awareness, thus reaching the promised land and keeping our information safe and secure.
The writer is an information security consultant for MadSec, a company specializing in information security
