Image by author |
Dear
manager, I have received some complaints about you. You are said to dismiss
signals about non-compliance with security regulations, or to devise a rationale
that makes it look like those regulations are being complied with. Because I
like to help people fulfill their responsibilities , we need to talk about this.
You
are not one specific manager, nor do you work for a specific part of our large
organization. Your level also does not matter: this phenomenon can occur
anywhere in the organization at team, department and board level. In fact, I am
convinced that you also exist outside my own organization. And furthermore: if
the shoe fits, wear it.
The
most misused word in information security has been dropped once again (and it’s
translation from Dutch isn’t straightforward): actually, really, fundamentally.
The manager who listens to an employee's complaints and then says that he is
"actually/really/fundamentally" right, but that he can't do anything
about it, or that that’s the way things are. Undoubtedly some managers will say
that they can decide on this deviation, because they are managers. Yes,
managers are indeed here to make decisions, but not all managers can decide on
all matters. And sometimes someone goes out of his way on this difficult
subject, possibly without realizing it. Think about whether a particular
decision fits within your mandate.
But most
complaints that come to my attention are not that difficult at all. These
concern, for example, key boxes of which the key is on top of the box, or the
code of which is written on a sticky note within one metre from that box. A
physical key is indeed difficult if you have to share it with several people,
but everyone can easily record the code of a number lock in (surprise!) their
password manager. I am not in favor of mandatory periodical password changes,
but codes of physical locks should be changed regularly, because otherwise worn-out
keys will reveal the code.
Our
internal mail offers the possibility to encrypt sensitive messages. One
easy-to-place check mark ensures that the e-mail and any attachments can only
be viewed by the addressee(s); delegates only see a white screen. Consider this
option when sending personal data about customers or employees, for example,
and bear in mind that the GDPR is a pretty strict law. This tip is of course
for everyone, but I expect managers to propagate it.
Sometimes
it is useful to immediately include the relevant documents in a meeting
invitation. No problem, as long as those documents do not contain confidential
information. Because in my organization most calendars are accessible to all
colleagues, they can also read the attachments. But you just don’t want an
appointment for an employee interview to contain an assessment form, do you? So
don't put confidential information in the invitation, but send a separate
email. In the invitation you can then include something like “see my email from
16-12-2022 09:56”.
As
you can see, it's often the little things that you as a manager can do, without
having to perform major deeds. When managers show that they take security
seriously, this also has an effect on their employees. If the manager takes it
less seriously, many employees will also shrug their shoulders.
Let's
help the managers. For example, if you are a business security officer or a data
coordinator (a role linked to the GDPR) and you see that something is not going
well, then talk to management about it. If necessary, skip levels, while making
sure that you have a well-founded story. In short: take your responsibilities
seriously and make sure that management does too.
Our
own manager gave us a Christmas bauble (thanks, Ton). An unbreakable one, he
added explicitly. We must be equally unbreakable when it comes to complying
with security rules – and that is not the same as rigid. Another team manager
brought me a Christmas bauble from a conference in London (thanks, Robin). Managers
who think about security even far beyond their work – that’s the kind we need.
The Security (b)log will return after the Christmas holidays.
And in the big bad world…
This section contains a selection of news articles I came across in the
past week. Because the original version of this blog post is aimed at readers
in the Netherlands, it contains some links to articles in Dutch. Where no
language is indicated, the article is in English.
- police services in the Netherlands, Germany and the US, among others, have taken fifty DDoS-for-hire services offline.
- also on Mastodon you have to think about your security.
- poorly built IoT devices are the asbestos of the internet.
- eighty percent of the Dutch
have a smart device at home. [DUTCH]
- European Microsoft customers will soon be able to choose to store their data exclusively in Europe.
- webshops can be fined for
fake reviews. [DUTCH]
- The Dutch excela in cyber
diplomacy. [DUTCH]
- the Dutch NCSC has published
a factsheet on open source security. [DUTCH]
- the Dutch intelligence
agency AIVD has published their annual Christmas puzzles. Good luck… [DUTCH]