We’ve recently seen some rhetoric stating that security is NOT everyone’s issue and that we should be looking at our security teams to protect us. We disagree. A lot. So we thought we’d lay out some thoughts about why security is everyone’s issue and how we can support our people with becoming more security savvy.
We talk a lot about our human firewall. About our people being the first line of defence. And as much of a trope as this is, there is some truth to it. Except… instead of just getting them to be on the watch for rogue phishing emails, we should be getting them to consider a whole myriad of threats that can affect our organisation – social engineering, overly permissive rights, tailgating, ransomware, yada yada.
In a world where we’re super connected. Where we’re glued to our phones 8 hours a day. Where literally fucking everything is now done via the internet. Why wouldn’t we want our people to be vigilant for threats? Not only does it help protect our organisation, it helps to protect them as well.
We all have bank accounts. Social media. Credit card info saved in e-commerce platforms. Personal data in dating sites. Photos saved on our phones. Is it our security team’s responsibility to protect them for us as well?
“we think the fuck not.”Amy, CEO @ The Cyber Escape Room Co.
It’s time we encouraged our people to take responsibility for their own data. We’d hate to hear a friend had had their account cleared out, their social media following decimated, or their saucy photos leaked because of poor security hygiene. We want to empower people to make themselves safe. And the way to do that isn’t by shirking responsibility on to our (probably already overloaded) security team.
so how do we do it, then?
It will probably come as no surprise to you that we believe in proper security awareness training for our end users. Providing them with the knowledge they need to identify issues and to make sure they’re thinking about security, from both a physical and digital perspective.
If people develop a security-focused mindset in their personal lives, that will extend to their professional ones too. If switching MFA on when you sign up for a new service, making sure you’re using different passwords across platforms, and reporting phishing is a habit you already have embedded in your psyche, then it’s not difficult to see how we’re going to reduce our security threats from a corporate perspective too.
So no, we don’t agree with offloading security concerns to the security team. The security team is there to provide, manage, and maintain tools and processes that support the business on a deeper level. They’re responsible for doing all the cool shit in the background. Configuring LAPS. Getting a proper email filter in place. Network micro-segmentation. You know. The important stuff.
the bank heist.
We believe in personal security enough that it’s actually a huge part of our latest cyber escape room scenario, The Bank Heist. That’s right, we’ve taken the corporate element out of the game and focused entirely on the damage we can do with personal information.
That’s right, we’ve switched it up and jacked in the briefcase in exchange for a backpack this time round… and we’re not asking you to be on the good side either.
When you play The Bank Heist, you’re playing the part of a threat actor looking to maximise on an opportunity to fuck shit up when they find a backpack left on a train. You’re looking at personal information left on social media, in text messages, online. The focus for this one, alongside password security is the use of Open Source Intelligence (OSINT) to help you further your attack and discover key information to use as part of your offensive strategy.
Interested in hearing more about The Bank Heist, and our other escape room scenarios? You can check out more information at https://cyberescaperoom.co/games.