A company can have the best security controls in place, have a staff that is highly security-aware and have what they consider outstanding security practices in place and yet bad things can and do happen. Many times, security breaches are caused by malicious actors exploiting some unnoticed vulnerability in a running service or other infrastructure. These breaches happen without involving an employee directly.
Other times, malicious actors rely on exploiting human vulnerabilities. This practice is known as social engineering. Typically, the goal of the malicious actor is to build trust by presenting a plausible scenario that plays on our human desire to be helpful. We have all heard about many of these scams. They are all over the news almost on a daily basis. At my current employer, we experienced a corporate impersonation scam late in 2022. We’ve all seen the texts that claim to be from the CEO urgently asking for our help. A friend of my wife received a call telling her there was a warrant out for her arrest. There wasn’t. The scammers just wanted to steal her money. Scams are everywhere! We think we know better but we are all potential victims and just moment of bad judgement away from potential disaster.
One of the ways we can lessen the stress should we fall victim is by having a response plan in place ahead of time. This plan will help us respond appropriately when under stress. This plan should be designed to help us respond both in the work and home environments.
Before I get into the structure of a solid response plan, I need to address what I hope is a misconception by many employees in the work environment. People being what they are, typically want to do the right thing. Employees generally don’t purposefully commit acts that could compromise or damage their employer’s business. Unfortunately, there is general fear among most employees that if they are found to have done something that brings harm to the business, they will experience a punitive response from the business. Perpetuating this fear is detrimental and should not be a part of any business.
Employees should not fear punitive retribution for honest mistakes that lead to security incidents. Businesses should communicate that clearly and often. Employees should have the freedom to report mistakes quickly and openly and be encouraged to take ownership of their actions. That doesn’t mean no consequences, it just means that employees should not fear that their safety or employment are in jeopardy if they report their actions.
By the same token, any employee that knowingly or maliciously carries out an action that causes a security incident should expect punitive consequences from both their employer and likely law enforcement.
We strive to create an environment where employees making an honest mistake have no hesitancy in reporting their actions to the appropriate people within the organization.
Let’s get back to the response plan. What should a response plan include? Here, I’ll mention the key components of a response plan for the work environment. I’ll leave it to the reader to work out a personal plan. the major steps are essentially the same.
Steps:
- Containment – Immediate Response
- Don’t panic – you prepared for this!
- Disconnect from the network – unplug Ethernet cable or turn off Wi-Fi.
- Lock your device. Leave all programs running and don’t close any programs or files.
- Jot down a few notes about what happened and what you noticed on the device.
- Eradication – Call in the experts
- Contact your IT Department and report exactly what you did and what happened. Refer to your notes. Don’t sweep your actions under the rug, own it!
- Determine if the event is serious enough to be considered an incident. IT or security will help with this.
- If your organization has a defined security incident reporting protocol, use that to declare an incident otherwise report the incident to the head of the Security team. They may implement your corporate incident response plan depending upon the severity of the incident.
- Do not access your device! Allow the IT Department or the Security team to direct next steps. The state of your device should be preserved until the need for forensic analysis is ruled out.
- Recovery – Only after all clear is given!
- Make sure your device is operating normally and that you have access to all your normal files and resources.
- Take time for yourself to recover mentally and physically. Wait for the stress to subside before diving back into your work.
- Post-Incident Activity – Sometimes called the postmortem process!
- Review with your supervisor, IT and security the events leading up to the incident and discuss ways in which this issue can be prevented in the future.
- Strive to understand what led to the actions you took.
- Determine if additional security controls could be implemented to reduce the likelihood or the impact of similar events in the future.
- Walk away smarter and better informed!
Keep in mind, that some of these steps could take days or even weeks depending upon the severity of the incident. In many cases, reported incidents are not severe and can be dealt with quickly. Failing to report mistakes can lead to serious consequences. Don’t hesitate to properly report!
Taking time now to understand the corporate culture around user accountability and having a response plan in place will make dealing with the inevitable “bad day at the office” much easier and less stressful. If you make a mistake, own it and seek help through the right channels to make things right. Being prepared in advance helps soften the blow.
