The Security team: An employee benefit?
It was around six years ago; a figure entered my periphery. I looked up from my desk in a large open plan office to see a familiar face I'd seen around but hadn't really interacted with. This time something was different. The face was awash with a steady stream of tears, and I knew something was very wrong. I'm both male, and British, so emotional displays aren't something I can be proud to say I handle well. I looked at the window for a means of escape, but we were 11 floors up. I was going to have to tackle this head-on.
"Is everything okay?" I asked, ridiculously.
The answer came in a wave of tears and emotion as my colleague explained that their partner had recently passed away, but there had been a credit card recently opened in their name. Identity theft of a deceased person, an all too common crime. Typically, in my line of work, I'd give technical explanations or look for the indicators as to how this could've occurred, but in this case, the person at the end of my desk just needed help. Quick, actionable, reliable help, and they didn't know where else to turn. Myself and another member of the security team helped direct them to the appropriate resources and even offered to put in a couple of calls.
Upon confirmation that everything was taken care of the following day, and the person was extremely grateful for our assistance, I reflected on the incident. The person involved had needed to lean on a corporate security team for guidance, because they didn't know where else to turn. This taught me two things.
1) I was grateful that the person trusted our team enough to come for us for help. Security should be seen as a helpful resource, rather than a team to be feared and avoided. We were obviously doing something right in this regard.
2) We should formalise this process and actively encourage people to come to us with information security problems that might not fall strictly within the realm of the corporate Infosec space.
So, in our future communications, we began to make it clear that Security was a resource that could be engaged to answer questions about phishing emails sent to personal accounts, we helped those who'd had personal accounts compromised, we used our forensics tools to assist with data recovery after ransomware attacks, and answered various other questions along the way.
The net of this was that we built a stronger rapport with our fellow employees, and people started becoming more proactive in coming to us with internal security concerns too. That's right, it helped improve the security of the company, because we were able to help our employees on a personal level. It exposed our junior analysts to a wider selection of incidents and issues that they might not have seen before, nothing better than real life cases for training! Not to mention, there are legitimate technical security benefits for the company also, as employees improve the security of their home networks, machines and accounts. A compromised employee is a compromised employee, regardless of how they become compromised.
As for the negatives of this approach, obviously we'd have to prioritise the needs of the company over the personal needs of one employee, so occasionally we weren't able to provide immediate help. Resources were constrained, and some queries would go on the back-burner until someone could take a look. Some questions were a little 'too' personal, or would've put us on legally shaky ground, or even in one case I can remember a legal sinkhole - "I think my partner is cheating on me, can you break into their email and Facebook?"
Overall, we found the benefits of the approach significantly outweighed the negatives. Which raises the question - is your corporate security team ready, willing, and able to be added to the list of employee benefits? We often talk about security being a sales differentiator, how about being an employee experience differentiator as well?
Vice President, at Aon Cyber Solutions
6yCreative and valid!