Your Employees: The Human Firewall

This is the first in my series of Practical Advice for Business Leaders Without all the Technical Gibberish. That’s a long name that I need to work on, and one I could probably shorten with a few strategically placed and terribly unprofessional words, but we won’t go there.

The goal in this series is a simple one- to explain critical technology concepts to business leaders who must make decisions about them every day, but do not have the time to read a twelve page dissertation, do not want to be buried in jargon, and want a list of potential and actionable solutions to the problem.

Let’s see how we do…

The Problem – Quick and Practical

Your business has antivirus. You have anti-malware and a managed anti-spam solution. Maybe the very expensive firewall your IT team put in place “inspects traffic”, or you’ve even gone as far as purchasing and implementing an “intrusion detection system”. Your systems are patched, the doors are locked, Uncle Joe is guarding the henhouse with his pappy’s shotgun, and you’re bunkered into your little fortress of productivity and profit. All is right with the world.

Then someone dials up Bob from Accounting, tells Bob that he is from Microsoft and that there is a problem with Bob’s computer. Bob, wanting to be a good employee and cooperate with the nice man from Microsoft, goes through a series of instructions provided by the man on the phone, and in under five minutes, Bob’s machine is no longer in Bob’s control. Passwords, account numbers, social security numbers and more are compromised immediately. Then the rest of your network and critical data are up for grabs.

As business leaders, we often hear that the security landscape is changing, which is true, but that statement is amorphous, frustrating, and hard to act upon. We’ve followed all the best practices. We pay yearly fees to a basket-full of antivirus and antispam vendors and dole out satchels of cash to purchase the latest expensive network security equipment that comes packaged with painful maintenance fees. And no matter how much we do or spend, every time we turn around, the I.T. manager is, once again, standing in our office door, asking for more… because we have to do more!

Unfortunately, an industry of technologies intended to protect us against security threats has- somewhat inexplicitly- sold us on the idea that security is something that can be solved by simply implementing a certain “fix”. Lock your doors and turn on the alarm, and your car will never be stolen- or stolen from- again. Right?

The reality, and one that is very hard to accept, is that security is not about finding a and implementing a particular solution, as it is the development and application of a complete regimen– a consistent and dynamic approach to hardening and securing everything about our company, to minimize the points at which a compromise can occur and reduce the frequency of those compromises. Note that I did not say eliminate them, or stop them; I said that we’re going to do our best to reduce and minimize them. And the first and biggest step to doing that, is that understand that security is far more about people than it is about technology.

Imagine if you will…

The CFO is on his way to a family vacation and receives an email from the CEO, asking that money be wired to a particular account. The finance person is fairly tech-savvy and is able to perform that transaction with a few swipes on a mobile app while comfortably seated in the spacious seats of the emergency exit row of his favorite airline. Minutes later, the money is sent, and the CFO leans back and relaxes, proud that he is able to serve his CEO’s needs at a moment’s notice and without disturbing his family vacation.

A week later, the CFO returns stops by the CEO’s office and says “So what was with that $26,000 you had me wire last week?”

The CEO gives the CFO a blank look and says “What $26,000?”

On further investigation, it is determined that the email was forged, and there were a number of cues to that forgery, but all of them were missed.

Someone has just stolen $26,000 from your company, and all they did was ask someone to hand it to them. And it worked.

Why You Should be Concerned

Sound impossible? It couldn’t possibly happen to your company? Don’t kid yourself. I’ve seen it happen. This is one of the clever and simple new ways that hackers are “getting in”, and it’s occurring with increasing frequency, and to companies of every size, and in every industry. Last year the FBI reported that this particular type of fraud cost corporations upwards of $2.3B dollars over the last three years, with average losses (in Arizona) between $25,000 and $75,000, and the rate of attack increasing by 270 percent since January of 2015. (see FBI article.)

And all it takes a hacker is a few minutes browsing your company website, changing a few settings on an email client, and a couple messages to get the process going. It’s easy. It’s quick. It side-steps all of your technology-based solutions, and the payoff is fantastic.

What’s more is the attacks need not always be so overt. You would be amazed at the useful and potentially dangerous information that can be collected from simple phone calls to your employees.

“Hello. This is CNET and we’re conducting an I.T. survey. Would you mind answering a few questions about your infrastructure?”

“Good morning. This is Microsoft. We suspect you may be out of compliance on licensing and would like to speak to your systems administrator. Would you mind providing me with their name and contact information?”

“Hi. This is Cisco. We are aware that you own one of our firewalls, but we need to update our records to ensure you get support. Could you please confirm the model and serial number of your firewall so we can update our records? Oh, you don’t have a Cisco firewall? Really? Oh, it’s a DELL Sonicwall? Thank you for letting us know. We’ll update our records and take you off our list.”

I won’t get into all the techno-weeds about what these little bits of seemingly innocuous information can do in the hands of a hacker, but as business people, we know that information is power, and anything an opposing party knows about your company is something that they can use to refine their attacks against it.

Stepping away from business for a moment, if I know you drive a particular car, I can easily research ways I might break into that car. Oh hey. The CEO drives a Jeep. Hm. It appears that there’s a vulnerability that allows me to wirelessly take control of the brakes, climate control, radio, etc. I might be able to use that to my advantage. (Think I’m kidding? Read this Wired article.)

If the thieves don’t know what kind of car you drive, then they can’t use this kind of information against you. Or, even better, if they can’t even find your car, then they’ll be hard-pressed to break into it. Tying this all back to attempts to get information out of your employees… your brand of mail server, the model of your firewall, and the name of your administrator may have seemed non-dangerous bits of information to you, but then you probably never gave a second thought to putting the profiles of the CEO and CFO on the company website, or purchasing pretty much any car built within the last ten to fifteen years… but now you’re starting to wonder. Or, if I’m doing my job, you should be.

And therein lies the morale of this story: Paranoia. You, and everyone who works for you, needs to be Paranoid. Paranoia is key. It’s the power that fuels the most important piece of infrastructure protecting your company: The Human Firewall.

The term Paranoia may seem harsh, emotionally charged, or over the top. Perhaps you would prefer to have me use a term like “security conscious”, or “technologically informed”, but ask yourself a question: If there is a top-level initiative in your organization, where the fate of your company weighs in the balance, do you soften your words?

We don’t protect our companies with gentle terms or uncertain action. As business leaders, we put our finger right on the key word or phrase and push down hard until it sticks. And when it comes to security of any sort, that word is Paranoia. You want your people paranoid. You want them actively and critically assessing every external source of information or request as if it could be the very thing that shuts down your company, wipes out everyone’s 401K, and, in fifteen minutes or less, puts everyone on the street with no hope of paying the mortgage next month. Then, and only then, will your company be as secure as it can be.

How to Address It

Now I’m going to give you some high-level tips on how to make this all happen. These are, or can be, simple steps in many ways, but a huge part of that simplicity is in your willingness to accept them. If you find yourself challenging their validity or necessity, or thinking that you don’t need this in your company, then these steps will ultimately be unsuccessful. I can (and will, eventually) write an entire blog post on many of these topics, but for now do your best to accept and try each of these, and you should be well on your way to addressing the problem.

If it so happens that you’re already doing some of these, then you’re a step ahead of much of your competition and can only hope to profit from it. Keep at it.

Scare Your People Silly

People grow complacent. Nothing has ever happened to them, or nothing has happened in a while. They’re probably safe. They worry less because the bad stuff hasn’t happened in recent memory.

This is a natural and human reaction.

And incredibly dangerous.

We’re in this nice cave. No bears have ever come into our cave. Please pass the hunk of fire-cooked saber-toothed rabbit so I can kick up my legs and watch the cave paintings dry. Don’t worry about that scratching noise. I’m sure it’s nothing.

Your people need to understand that while the bear has not come for them yet, that the bears are most definitely out there, luck alone is not going to keep them at bay, and statistical averages are eventually going to drag one right in the front door and drop it right in their lap.

Make sure you regularly remind them of the threat, and the damage the threat can do when it comes calling.

Train Your People…Constantly

There is much about security that remains the same… “Don’t click that link!”, “Don’t open that attachment!”, but there is much that changes. “Don’t wire $26K to random people pretending to be me!”

Your employees need to have a regular and constant flow of information so they understand the changing landscape of the threat, and can make more informed decisions on how to respond to it.

And don’t forget that your organization is growing! You hire new people all the time. Your competition is probably not focusing on a security regimen like you are, and those new people are coming in without as much information as they need to protect their new company. You must grab these people right away and train them, because the call from the nice man at Microsoft could come moments after they walk in the door.

Growl.

Oh hey, is that grilled rabbit?

Leadership by Example – If You’re Serious, So Shall They Be

Demonstrate how important security is in everything that you do. Make a security discussion a regular and key part of your leadership meetings, ensure these discussions disseminate throughout your organization, and that the message makes it down to the absolute front line people in every single department.

Provide stories and examples. Keep the topic and discussion live, engaging, and interesting. Don’t just drone on for fifteen minutes a week on how people need to make sure security is important. Involve other people, delegate out topics for research and presentation, highlight particular accomplishments by having the teams responsible for them present on what they’ve done to a team of excited and encouraging leaders, and then again to your entire company as a whole.

Demand that your management set specific security goals for their organizations and hold them financially accountable. When the company achieves a security goal, applaud the achievement in every way you can. Celebrate it through simple yet meaningful gestures, like perhaps a company BBQ. Call it the “Security Sizzler”. Yes, I just made that up, and as corny as it is, I now want a hamburger. Or maybe some grilled rabbit.

Test Your Firewall Regularly

You’ve scared your people. You’ve trained them, and you’ve thrown the best “Security Sizzler” in the history of all time. But are you sure that it’s working? The only way to know is to test it, and the only way to do that is to actively attempt to break into your own business. This may sound crazy, but how else are you going to identify weak sections in the wall without crashing a few waves into it. Better that you find the faulty mortar when the waves are your doing, and not an actual hurricane, come to wipe out the entire city when the pumps and levees fail.

By the way, there is a lot involved in this step, but as a person who cares deeply for people, one key I must stress is that this process must be done with your people’s general awareness, must be handled with compassion, and must never be followed up by highlighting failures or enacting punitive damages against people who don’t “pass the test”. Like everything in business, and with people, the focus must be on the positive, and what we can do better going forward, and less about how we have failed in the past.

Make Sure You Have the Basics in Place

This blog is all about your people, but you still have to have antivirus, anti-malware, anti-spam, firewalls, ensure your systems are patched, etc. Don’t think for a moment you can let these things go by the wayside. They are the closed windows, locked doors and alarm systems of the world. They’re not going to stop a committed or focused thief, but they’ll stop the guy who tries every door in the neighborhood to see if one happens to be open… and my goodness, look at all these lovely things!

Demand More of Your I.T. Organization

Most businesses regard their I.T. organizations as little more than a necessary evil, or in some slightly better situations, an unfortunate cost of doing business. This is partly an artifact of the talent problem, where the greater majority of people providing any service are simply not that great at what they do. As business leaders, we tend to accept a certain equilibrium where we find the people who are not explicitly horrible at the job, but we settle for a certain level of marginality because we figure it’s the best we can do, and we turn our attention to focus on bigger problems, the things we convince ourselves are “more important”.

However, very few things in the modern business are more important than your information technology and the people who support it. If you would like to challenge my assertion on that, go into the server room, lock the door, and pull all the power cables. See what happens to your business and productivity. If no one comes and starts banging on the door, then you can stop reading. Otherwise, continue on. (By the way, please don’t actually do that; that would be what we in the business would call “bad”.)

Don’t accept marginal I.T. leadership or workmanship. Don’t accept an expensive group of people in your company that you cannot rely on to protect (and enable) your business. Would you keep people you cannot trust for the development, production and delivery of your key product? Certainly not. So why would you accept it for supporting a resource critical to the development, production and delivery of that product?

Demand more. Demand better. Demand knowledge and expertise. Demand practical technological advice on critical business decisions. Demand guidance for your company and its employees. There are better people out there. Find them. Put them in key positions and involve them in the leadership of your organization. Listen to them, challenge them, and understand what they are saying, but ultimately… trust them.

Need More Help? Seek it Externally.

Not every organization has the wherewithal or can justify full-time employment of people who have the experience and business acumen to implement your new security regimen, but there are many cloud services and consulting organizations out there that can help you fill in the gaps. There are even companies and services you can hire to “hack your people” (iuvo Technologies, included). These external providers can serve as portions of your solution, augmentations to your organization, general guides, implementers, or accelerators. There is a lot of experience in the industry, and you may not have ready access to what you need within your organization now, but external sources such as these can help you get there quickly.

Wrap Up

Being both a technology consultant and a writer, I’m interested in not only the content of my work, but also in keeping my promises. I did promise you not to make this a twelve page dissertation, and by my word count, I see I’m fairly close to about ten manuscript pages for a typical science fiction novel. Not that this has anything to do with science fiction, of course, but that’s one of the realms I dabble in, so it’s an amusing comparison. Just be thankful I didn’t put in any space battles or blowing people out the airlock, as that could have easily added another five thousand words. Though space battles or blowing people out the airlock can be highly entertaining, and one could argue they could only serve to improve any piece.

I hope you found this article both helpful and interesting… perhaps occasionally entertaining. If there’s anything I can do to help make this, or future postings, more viable and useful to you, please be sure to comment.

And, of course, if you find yourself in need of help with this or with any information technology related topic, remember that iuvo Technologies has the right kind of people to help you develop the regimen you need to secure your business, and many of our customers would be happy to share with you how they treat us as trusted partners in their business success. Give us a call, drop us an email, or grill up some rabbit. We’ll be delighted to assist