The information security and customer service groups within an organization often make for odd bedfellows, due to the competing and often divergent goals between the two groups. Security teams’ goals are to protect and prevent the loss of customer data, information, proprietary code, or practices; services teams are focused on resolving customer-reported issues as quickly as possible. To meet this goal, services teams may require regular access to customer data, which carries a certain amount of risk. To help mitigate that risk, we will navigate ways to partner with your services teams in modifying behaviors that engender it.
Walk a Mile or Two in Their Shoes
The practice of job shadowing is a cross-training mechanism to improve your employees’ proficiency and efficiency at their jobs. It can also serve as a regular part of the onboarding process for a new employee. If you are responsible for securing your customers’ data, it seems fitting that IT security spend time with employees to learn how they are completing their work. Besides seeing firsthand how your services teams are accessing and handling customer data, IT team members will also gain perspective and insight into the difficulties services teams face in trying to meet their one-touch resolution goal of resolving a customer’s issue during their first contact with support.
To achieve or maintain compliance with state, federal, and international regulations or standards, companies have implemented additional safeguards and security measures to protect client and consumer data. An example would be the Massachusetts Data Production Law regarding PII in 2010, which required businesses to encrypt all PII stored on laptops or other portable devices. While this law is specific to Massachusetts, it’s now an industry best practice. While attempting to ensure the security of customer data, the procedures necessary for compliance may inhibit the productivity of your services teams. This can be alleviated by investing in proper tooling to help your services teams complete their tasks. The tools themselves can be built or bought, but they must adhere to your security policies and help services teams gain efficiency in completing their work.
If implementing these tools does not relieve the perceived reduction in your services teams’ efficiency, you can help further bridge that gap by advocating for customer-facing product or process improvements that reduce customers’ need to contact them in the first place. Even if you achieve the ideal balance of tools and lean methodology in services teams processes with your security policies, changes to how your organization functions may still be necessary. Change can often bring conflict and turmoil; one of the best ways to prevent these difficulties is to provide employees with transparency and context.
Change can often bring conflict and turmoil; one of the best ways to prevent these difficulties is to provide employees with transparency and context.
Transparency Begets Trust
Adding the context of personal and company brand consequences to your security training helps increase understanding and the sense of urgency. You are already working to make employees aware of the company’s security policies and agree to adhere to those policies. When you explain why the policies are needed in the first place, you are empowering your employees to assist in preventing your company from being the next data breach in the headlines.
There often seems to be something in the why that gets lost in translation, however. As security professionals, we strive to create and sustain awareness by providing a consistent best practices message. However, since your services teams may be elbow-deep in customer data, it’s important to stress a sense of ownership and personal responsibility in the company’s security as a whole. Discuss the effects of a breach in terms of financial impact to your company and how that would affect services team members. This can transition your organization’s security culture from one that holds people accountable to one where people hold themselves and each other accountable.
Along with providing employees with dos and don’ts, be clear about how your organization is already working to prevent a breach. An example would be to explain your employee monitoring efforts to track activity on the network. Yes, this program is documented in your employees’ manuals and included in the hiring agreements that they sign, but has the security team ever spoken to them directly about the extent and reasoning for monitoring their activity? The key impact to stress isn’t that you monitor employees’ activity; it’s that your monitoring solution can expose an insider threat, which may prevent a breach.
Keep Your Services Teams Close; Keep Your Allies Closer
Security teams typically find their allies within an organization among those in leadership positions, as they are both on the hook for participating in audits and must provide content for business continuity planning. In worst-case scenarios, they may also be accountable for civil and criminal penalties or face unemployment should a security breach occur. However, as the landscape of cyber threats continues to evolve, you too must modify how you respond. Specifically, you need to look within the other departments of your organization for additional people who will champion your cybersecurity awareness message.
The best candidates to foster and enforce security policies and practices within your services teams are your subject matter experts (SMEs), privileged users, and white hats. All three present an elevated insider threat due to their depth of knowledge about your products and customers; their administrator access to your proprietary systems and customer data; and their determination to provide customer satisfaction in a timeframe that meets or exceeds expectations. If processes or policies inhibit these super-users from completing their work, they may choose to find less than desirable ways around those roadblocks.
No matter the design of your organization’s support model, it’s likely that you have one or more individuals within your services teams who have privileged user accounts of some type. These employees may have admin access to create or modify users and their roles to your core systems, tools, or customer accounts. Even if your organization practices least privilege, highly privileged accounts are a business norm due to the need to meet customer demands with immediate resolution. Investing in a logical access control tool with searchable logging can enable you to restrict access to data based on security role. This protects both your customers’ information and your privileged users by streamlining the evidence-gathering process for both internal and external audits.
It is equally critical that when you receive requests for this type of access, you question its necessity. Consider including higher-level leadership in the logical access control approval process and having your privileged users rotate responsibilities. This could take the form of periodically swapping tasks such as those who push a deployment of code to production or who manages the root account. These additional practices, if kept lean, can provide awareness surrounding the usage of your system admin accounts or additional checks and balances around your super-users. By rotating and monitoring your super-users, you may avoid single points of failure and/or fraud.
If policies inhibit your super-users from completing their work, they may choose to find less than desirable ways around these roadblocks.
Another area of risk is your SMEs. While it can be incredible to watch an employee learn the ins and outs of your products, processes, and business, SMEs may become a bottleneck or an opportunity for exploitation. Do your SMEs face interruptions under the guise of favors? These could be benign requests to explain how a part of your product functions or look up a specific piece of information, but they could also be more dangerous requests such as where and how your encryption key ring is managed. SMEs must possess or be trained into a healthy sense of skepticism about the questions they’re being asked. They must understand social engineering and how to tell the difference between someone seeking knowledge for professional development and a human-hacker looking for company secrets.
Lastly, this leads us to your white hats. Traditionally, white hats look for ways to penetrate your systems, providing your organization with an opportunity to correct gaps within your network or applications before malicious hackers can exploit them. However, if your white hats become disengaged or disgruntled with your organization, their knowledge of the gaps in your security or the data that you store could lead to that information being disseminated outside of your company. White hats aren’t without a high value that accompanies the risk. If properly utilized, they can provide insight into how your authentication process, security systems, and application codes can be circumvented without being picked up by a security scan. This expertise can provide your organization with notice of a security issue before it’s caught during a penetration test or, worse, by an external hacker who stands to profit off your data loss. Lastly, they can be the key to identifying security policy restrictions that are being circumvented in an effort to provide customer satisfaction.
By now it’s likely that you’ve thought of at least one services team colleague with whom you can strategically partner to help educate peers and propagate a culture of protecting company assets through cybersecurity. The first step is awareness; now take the second step and propose a partnership with these strategic coworkers. Start by telling them what you are doing to make your customers secure, and help them understand how your efforts will result in greater success for both your services teams and your customers.