Posted on

Taking the lead with cyber security awareness

It’s hard to define what makes a person a great leader, but what we can say with certainty is that it’s not an easy task. Using their social influence, leaders need to motivate teams towards achieving their common goals.

Leaders carry a lot of responsibilities and expectations, and they know their every move is open to scrutiny by people inside and outside their organisations.

If you’re a leader, we wouldn’t blame you for occasionally wishing for an invisibility cloak! But if you can’t track one of those down, a better option is getting familiar with the steps you can take to protect yourself — and your organisation — against cyber attackers.

Security folks sure do love their military terminology. A good example of such military-themed phraseology is the term OpSec. In the information security world, OpSec refers to protecting yourself so you can’t be used against your organisation.

As we face our daily trials and tribulations at work, some of us may not give a second thought to tweeting about annoyances caused by dealing with vendor issues, or posting about a fun new piece of technology we get to work on.

But when we move up the ranks, it becomes more important to think critically before hitting send on our next tweet. Things change as our careers progress — for example, getting promoted to a team leader or manager role means your responsibilities grow. You may also be privy to a lot more sensitive information, and as you learn more about the workings of your company, the amount of attention focused on you increases.

A leadership role often includes waving the company banner and publicly representing our organisations. Even if you don’t loudly wave that banner, people online will take notice of your job title. Unfortunately, sometimes those people are out to take advantage of it.

To help understand what the risks are, we want to introduce you to another military-esque term: reconnaissance.

Reconnaissance: who’s watching you?

In the context of cyber security, reconnaissance means collecting information to prepare for a cyber attack. Military terms getting a bit much? Give thanks for folks like the United Kingdom’s National Cyber Security Centre, who offer an alternative word we can use: survey.

When attackers survey, they gather passive intelligence (okay, there’s no getting away from the military terms!). This sounds involved, but all it means is they look for information that anyone can gather using public means. LinkedIn, Twitter, Facebook, online registrars, marketing websites, job descriptions, online forums, conference talks — these are all easy to find, and ripe for picking small tidbits of information from.

Being in the cyber security business doesn’t make us immune either. Our lovely CEO and founder, Laura Bell, is well-known by our clients and further afield in the industry. But you don’t need to personally know her to find out information about her — all you need to do is check her Twitter or LinkedIn profiles, or look at our website.

Not long after joining SafeStack, one of our team members got some emails appearing to be sent from “Laura Bell”. One problem though… they weren’t from the real Laura, and they weren’t legitimate requests.

spam email line

The level of sophistication and the intention of every cyber attack is different, ranging from simple email phishing scams sent to large groups — hoping for just one bite. Or in this case, a very targeted attack, also called a spear phishing attack. All these attacks begin with reconnaissance or survey.

Someone had been doing enough surveillance of the SafeStack team to know that Laura is the CEO and possibly also that the targeted team member was very new to the team. Attempting to exploit the newbie’s unfamiliarity with the normal operations of the team, the email was written using an urgent tone and requested immediate assistance to make a payment to a nominated bank account.

Attackers can keep quietly gathering information until they have enough to craft a well-planned attack. So while a leader or manager may not be the ultimate target of a cyber attack, they could be the entry point to an organisation — and once an attacker is in, they can get more access and data, and be in a position to cause more damage.

Be social and visible — but be careful

The takeaway here isn’t to vanish yourself from the internet — it’s to make sure you’re aware of how to be safe online. In our latest course, Personal Security for Managers and Leaders, we share simple actions you can take to protect yourself (and your organisation) while still being social and visible online.

Taking a moment to think before sharing anything publicly is valuable for anyone, but with the increased visibility that comes with being a leader, it’s especially important to do a quick risk assessment before you post or speak. It’s also important to protect your personal accounts in similar ways to your work accounts and to tune your settings so your private accounts stay private.

If in doubt, listen to your instincts. In the spear phishing example we mentioned before, our team mate’s suspicions were raised because the email request didn’t seem like Laura’s normal communication style. Knowing what’s normal and what’s not in your organisation will definitely help you to spot a potential problem.

Ready to learn more about personal security for managers and leaders?

The sensitive information that attackers can gather about you and your company may be giving them the ammunition they need to launch a targeted cyber attack.

The details you reveal in online posts, written communications, and your interactions with others could be the smallest chink in the armour of your company, which an attacker can then work to exploit.

Our latest Security Awareness course can give you some insights into the risks that leaders may face, and how to guard against them.

What’s in the course?

We cover some real-life examples of how attackers can take advantage of the personal brand and public messages you share online. We also outline some pragmatic actions you can take so that you can still be visible and secure.

Who is this course for?

Leaders and managers have more public exposure than most of us, and that puts them at increased risk of cyber attacks. This course is most relevant for leaders and managers, but the content and learning actions we cover are pragmatic and helpful for everyone, whatever their job description.

We love to hear from you

We hope this course encourages you to think critically about the sensitive information you share online, both in a professional and a personal capacity.