Editor's Note: Over the coming weeks we will post recaps of speakers' talks from the 3rd Annual Security Awareness Summit. Today Sahil Bansal from Genpact shares details from his talk and experiences from the summit. If you missed the summit, consider the European Security Awareness Summit 11 November in London.
It was an honor to speak at the SANS Security Awareness Summit 2016. My topic was Nudging Towards Security. With traditional awareness methods, employees have a tendency to avoid security messages especially if through mass media. We can create humorous messages, we can try to get their attention and we can make them listen to our training videos. But are these methods nudging the employees towards secure behavior?
People care about security and want to do the right things, but it can be too complicated for them. We ask them to keep complex passwords, we ask them to have 30 different passwords for different accounts, classify and label data, store and transmit it properly, watch out for phishing and what not. They are bound to make mistakes. And eventually we are seeing, there is more reliance on users to take good security decisions. So I firmly believe that security should be easy, and it should be proactive. My talk was focused on how we can we make security easy for employees and proactive. It covered three initiatives that can nudge employees’ behavior towards security.
External Email Tagging Email spoofing is on the rise. We have all heard and experienced the W2 scams. Although email security solutions are fighting email spoofing, but it is a cat and a mouse battle. Some emails will always have the possibility to get through to the user’s inbox. Social engineering and phishing are a hot topic for every organization’s awareness and training material. But they are not a sure shot way to ensure that all the employees will become experts in handling phishing attacks. Something different is needed to help users so that they know how to identify spoofed emails easily.
Using the email solution (Microsoft Outlook for example), a rule can be configured at the exchange which can tag external emails with a label. So, all the emails that originate outside of the organization’s network will have this label. This label can be added in the subject, it can be added on top of the email body, it can have different colored text, it can be underlined etc. A lot can be done on this label so that the user will clearly notice it. Once they notice it, we have got a new teachable moment. We can inform them that it is an external email. So, the way it will work is when a user gets an email from an email id that is spoofed to look like an internal email id, this tag will raise a suspicion in the user’s mind. They might stop and not take any immediate action until they are sure. And that is the objective: raising that doubt in their mind so that we can help them when they come to us.
There are several other initiatives that can be taken to nudge employees’ behavior towards security. My talk touched upon two others; making reporting of spam emails easier with a single button in outlook and helping users to take a more informed decision when they are about to send sensitive data outside of organization’s network. I'll cover those 'nudges' in future blog posts.
BIO: Sahil leads the security awareness, training and culture change initiatives at Genpact. He is a B.Tech, MBA and has done courses on Social Psychology, Behavior Economics, marketing and branding. At present, he is helping Genpact information security team to look at the problem from a people perspective. He has also worked with other IT giants like Infosys and HCL Technologies in the past. LinkedIn contact details - linkedin.com/in/sahilbansal86
