Login

Register

Login

Register

Avoiding the Perils of Electronic Communications



Twitter, Slack, etc., have become undeniably important for business today, but they can cause a lot of damage. That’s why an agile communications strategy is so important.

One of the more difficult and time-consuming exercises for security leaders is to analyze their company’s electronic communications channels and work to codify and implement processes that take into account proper security hygiene. In my experience, there is no one-size-fits-all approach because every company communicates in different ways and uses different tooling.

Due to the proliferation of collaboration tools and social media applications, it’s possible you don’t even realize how many tools your employees are using to communicate. For example, your CEO’s calendar probably shouldn’t be publicly available to the entire company as there can be significant risks from free access to this information. Because a calendar is a trusted application, you likely wouldn’t think twice about clicking on a link from a known source.

Evolution of Social Media
To be candid, social media applications have turned electronic communications into a difficult beast for CISOs to tackle. Take Twitter. This single application lets you reach global audiences instantly. While Twitter can be used as a mouthpiece to quickly disseminate news and spread awareness, there have been major downsides, and our society has yet to fully understand the ramifications of these.

One of the most notable incidents occurred in 2013, when a single tweet from the Associated Press’s verified account shared that there had been explosions at the White House and President Obama had been injured. A hacking group claimed responsibility for the tweet and the resulting stock market nosedive erased over $136 billion in equity market value in the three minutes following the tweet. The fact that one tweet could do this much damage was a wake-up call that we need to think long and hard about how systems are designed to curb potential abuse.

Additionally, any organization with sensitive intellectual property should take into account the lengths that sophisticated actors will go to breach its electronic communications — especially social media — including the use of insiders. For example, in late 2019, it was reported that two former Twitter employees were working for Saudi Arabia to spy on targeted users. It’s vital to account for these channels in employee training. While they might not associate Twitter, Instagram, or Facebook with a work-related threat, given the trust we place in our favorite social media apps, vulnerabilities in them can be leveraged by skilled adversaries as a foothold into an organization’s network.

While some might think of traditional electronic communications threats as simply phishing attempts with your email, there are dozens of channels that a CISO must consider when setting company policies. Due to the impact of a single tweet or post, these applications for your C-suite and senior leaders should be locked down and access should be contained to as few people as possible. Additionally, best practices such as implementing two-factor authentication will help to protect your organization.

Communication Policies Must Be Agile
At MongoDB, our most-used communications tool is Slack. The Slack platform is vital to asynchronous work with a global employee base and, in total, over 50 people were involved in the process of writing our new policy before the final guidelines were shared companywide. We consulted representatives from different teams across the company to get feedback on policies and wording to make sure it would resonate with everyone.

This might not be a surprise, but feedback from members of our engineering teams was that there should be no ambiguity in the policy. It was important to write and set a policy that ended up being very prescriptive without sounding condescending. Additionally, we also incorporated different data retention standards for things such as attachments, direct messages, and all communication in public versus private channels.

It’s important to educate our employees on data classification. Below is how we classify data into four groups as part of our company data security policy.






Classification Level

Summary

Damage to Company if Data Leaked

Public Data

Intended for public consumption

None

Internal Use Only

Intended for widespread company consumption, but not sensitive

Very minor to none

Confidential

Sensitive and intended for only limited persons

Considerable

Highly Confidential

Very Sensitive, need-to-know, and limited distribution.

Grave, severe


Having a prescriptive and thorough data security policy available as a living document to all employees can provide a valuable resource for asynchronous work. Engaging in ongoing education throughout the year helps build a secure culture and make sure this information is top of mind for employees. This can be as simple as a quarterly email for some people or addressing security-related questions at our monthly all-hands meeting.

Why Security Enables Innovation in Our API World
Given our roots as a developer company, modern tooling for software development is all through APIs. These integrate into Slack, which creates alerts and additional communication channels. While these integrations are hugely helpful, the best way to take into account security is to have each potential application vetted for security hygiene and assessed by our procurement and security teams before network integration.

Identity and access management with your APIs in the cloud is vital whether you’re developing software or work on a different team. For instance, someone who isn’t on an engineering team at MongoDB likely doesn’t need access to our GitHub API in Slack. If there is an ad hoc reason, that can go through the proper protocols to authorize only that user.

We believe identity and access management not only keeps us secure but also fosters greater innovation. Being able to implement secure processes into workflows and maintaining agile policies for your organization’s tooling is one of the key parts of a security leader’s job, but don’t be surprised at how difficult and time-intensive it is.

Related Content:

 

Lena joined MongoDB with more than 20 years of cybersecurity experience. Before joining MongoDB, she was the global chief information security officer for the international fintech company, Tradeweb, where she was responsible for all aspects of cybersecurity. She also served … View Full Bio

More Insights





Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
HACKER FOR HIRE MURDERS
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW