A security mindset involves thinking like an attacker, an adversary or a criminal in order to detect and respond to potential threats putting at risk our valuable assets. This thread discusses the (in)ability of our security mindset to cope with the digital threats and the responsibilities of organizations in this matter.
What about our valuable digital assets?
We can’t assert the same for our valuable logical data for which our security mindset is utterly inefficient. Why? For the reason that the concept of «logical data» has been brought with the advent of the digital age. A period still in its infancy compared to the whole human history. A blur, impalpable and invisible asset that none of us can’t really fathom, define, grip and master with the aggravating factor that it could be endlessly multiplied, copied and stored anywhere.
Who should teach them to discern, respond to or ward off the digital threats? Certainly not their parents who are even more ignorant in this matter. Our education system maybe? I doubt given the severe latency of this system to adapt itself to the steadily and rapid evolution of the technology and associated threats.
When I was taking my civil engineering classes back in the late 80’s and early 90’s I have never seen or heard aught of information and data security. Ok, it was the onset of the Internet and personal interconnected computers where security consultants where considered as trailblazers but nowadays, while information technologies insinuates itself always deeper into our lives and that attacks against our data get more and more pernicious, security must be addressed as a topic of general interest. Still it is absent of the lectures, except in specific dedicated cursus.
In the absence of education of appropriate behaviors and awareness of the value of our digital assets, I’m afraid that the only ingredient left to nurture, hone and drill our security mindset in this matter is the experience. I mean learning the hard way through bad experiences such as being victims of data theft, data lost, account impersonation, social engineering or swindlers.
The social responsibilities of our organization
More than complying with security and privacy related regulations such as GDPR, HIPAA, PCI, my opinion is that organizations and more specifically security officers and data privacy officers have a social responsibility here. They should not content themselves to barely require staff to abide with a set of policies and procedures disseminated in writing or through information sessions (often falsely named awareness session) dictating what they may and may not do and how they are expected to do it. This is definitely not enough.
This can be achieved through the delivery of vivid, and let me underscore it: VIVID awareness sessions focused on their case. Through the use of dialogues - and not one way talks or presentation, vulgarisation, anecdotes and stories, funny materials (pictures, movies) they should be apprised of the rationales behind such sessions and why they are bothered with these tedious, cumbersome policies and procedures - they are all thinking that way so let's be honest and show them our agreement on this point.
They should learn about the reasons why security is a critical matter for the company, about the consequences in case incidents and breaches for the company and the customers. They should hear about past incidents that took place inside the company - this could serve as illustration and evidences that yes shit happens, about the threats/attacks they could be confronted to while working but also in their private life and how these could be avoided or thwarted. Last but not least they should be told of their primary role in the defence of the company and customers data. They should be encouraged to speak up whenever they feel that a policy or procedure is inappropriate in their case and to report any weird situations they have faced.
All this should help increasing the ability of their staff security mindset to address the digital risks and eventually to transform them into one of their strongest and efficient defense line.