Recently, there have been a string of high profile compromises attacking both could based services, a cloud based note taking site, a fast food companies Twitter account, as well as corporations and individuals. A well known technology writer had his digital life taken over, abused and somewhat deleted add to this the hacking of cloud company’s’ CEO personal and business accounts. This led me to think how can we as a security community do a better job? When I was a CISO a good portion of the end user awareness training was focused on life outside the office, my theory was being safe at home leads to be safe in the office but now thinking about this now leads me to ask myself a question. Does our end-user education go far enough or reach deeply enough into out users digital lives? I think the answer to that question is an overwhelming NO and it’s time to take the gloves off!
We live in a time where work and personal lives are intermingled; to attract the best talent we must allow access to social networks from corporate devices and access to corporate information from personal devices. Allowing users to have the freedom to work as they see necessary. I am not only speaking about the millennials we all hear about who work differently but also management and executive management who now have their own online personas. They are being encouraged to develop these personas where they are now part of the company brand with very little oversight.
When discussing end-user awareness training with companies I always encourage them to take the next step and test their employees using email phishing campaigns and as well as other social engineering techniques. Web based training and lectures don’t work well enogh. Companies need to send targeted phishing attacks to their employees that provide immediate feedback.
When testing users we shouldn’t stop at just their corporate accounts we must phishing their personal accounts too this includes Facebook, Twitter, Gmail etc. the attackers have crossed that line we as responsible corporate citizens must as well. This is a two way street if users want access to these services utilizing corporate or shared resources they must consent. Don’t be the next hamburger chain to lose control of their twitter account.
↧
Time to take the gloves off!!!
↧