Avoiding the Perils of Electronic Communications
Twitter, Slack, etc., have become undeniably important for business today, but they can cause a lot of damage. That's why an agile communications strategy is so important.
One of the more difficult and time-consuming exercises for security leaders is to analyze their company's electronic communications channels and work to codify and implement processes that take into account proper security hygiene. In my experience, there is no one-size-fits-all approach because every company communicates in different ways and uses different tooling.
Due to the proliferation of collaboration tools and social media applications, it's possible you don't even realize how many tools your employees are using to communicate. For example, your CEO's calendar probably shouldn't be publicly available to the entire company as there can be significant risks from free access to this information. Because a calendar is a trusted application, you likely wouldn't think twice about clicking on a link from a known source.
Evolution of Social Media
To be candid, social media applications have turned electronic communications into a difficult beast for CISOs to tackle. Take Twitter. This single application lets you reach global audiences instantly. While Twitter can be used as a mouthpiece to quickly disseminate news and spread awareness, there have been major downsides, and our society has yet to fully understand the ramifications of these.
One of the most notable incidents occurred in 2013, when a single tweet from the Associated Press's verified account shared that there had been explosions at the White House and President Obama had been injured. A hacking group claimed responsibility for the tweet and the resulting stock market nosedive erased over $136 billion in equity market value in the three minutes following the tweet. The fact that one tweet could do this much damage was a wake-up call that we need to think long and hard about how systems are designed to curb potential abuse.
Additionally, any organization with sensitive intellectual property should take into account the lengths that sophisticated actors will go to breach its electronic communications — especially social media — including the use of insiders. For example, in late 2019, it was reported that two former Twitter employees were working for Saudi Arabia to spy on targeted users. It's vital to account for these channels in employee training. While they might not associate Twitter, Instagram, or Facebook with a work-related threat, given the trust we place in our favorite social media apps, vulnerabilities in them can be leveraged by skilled adversaries as a foothold into an organization's network.
While some might think of traditional electronic communications threats as simply phishing attempts with your email, there are dozens of channels that a CISO must consider when setting company policies. Due to the impact of a single tweet or post, these applications for your C-suite and senior leaders should be locked down and access should be contained to as few people as possible. Additionally, best practices such as implementing two-factor authentication will help to protect your organization.
Communication Policies Must Be Agile
At MongoDB, our most-used communications tool is Slack. The Slack platform is vital to asynchronous work with a global employee base and, in total, over 50 people were involved in the process of writing our new policy before the final guidelines were shared companywide. We consulted representatives from different teams across the company to get feedback on policies and wording to make sure it would resonate with everyone.
This might not be a surprise, but feedback from members of our engineering teams was that there should be no ambiguity in the policy. It was important to write and set a policy that ended up being very prescriptive without sounding condescending. Additionally, we also incorporated different data retention standards for things such as attachments, direct messages, and all communication in public versus private channels.
It's important to educate our employees on data classification. Below is how we classify data into four groups as part of our company data security policy.
Classification Level | Summary | Damage to Company if Data Leaked |
---|---|---|
Public Data | Intended for public consumption | None |
Internal Use Only | Intended for widespread company consumption, but not sensitive | Very minor to none |
Confidential | Sensitive and intended for only limited persons | Considerable |
Highly Confidential | Very Sensitive, need-to-know, and limited distribution. | Grave, severe |
Having a prescriptive and thorough data security policy available as a living document to all employees can provide a valuable resource for asynchronous work. Engaging in ongoing education throughout the year helps build a secure culture and make sure this information is top of mind for employees. This can be as simple as a quarterly email for some people or addressing security-related questions at our monthly all-hands meeting.
Why Security Enables Innovation in Our API World
Given our roots as a developer company, modern tooling for software development is all through APIs. These integrate into Slack, which creates alerts and additional communication channels. While these integrations are hugely helpful, the best way to take into account security is to have each potential application vetted for security hygiene and assessed by our procurement and security teams before network integration.
Identity and access management with your APIs in the cloud is vital whether you're developing software or work on a different team. For instance, someone who isn't on an engineering team at MongoDB likely doesn't need access to our GitHub API in Slack. If there is an ad hoc reason, that can go through the proper protocols to authorize only that user.
We believe identity and access management not only keeps us secure but also fosters greater innovation. Being able to implement secure processes into workflows and maintaining agile policies for your organization's tooling is one of the key parts of a security leader's job, but don't be surprised at how difficult and time-intensive it is.
Related Content:
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Prevent an AWS Cloud Bucket Data Leak."
About the Author
You May Also Like