Communicating Cybersecurity in Companies
May 11, 2018
A couple of weeks ago, we received an email from one of our colleagues saying: “Dear all, please do not open email entitled “payment copy”. It looks very suspicious, and an attached file will probably contain some sort of malware of virus!” The interesting part was that his email was entitled “payment copy.”
In 2013 right after my graduation, I joined a marketing team in one of the Moscow airports. My recruitment process consisted of 3 stages of security checks, which in total took over a month. It started with a standard examination of my background, including criminal convictions, credit history, etc. This part didn’t surprise me; it is a common practice around the world. Though it causes debates among some professions, nothing is outstanding about it in general. After two weeks, I received an invitation to the second stage which consisted of 2 steps: medical inspection and a polygraph. Now I was worried. I had lived in Europe for almost ten years, where these practices are illegal in many countries, and employee privacy is a big concern. I asked my friends, and they said that while it was nobody’s favourite, it was quite a common practice in Russia. First, I went through a psychological evaluation and drug testing. Then, I went on to a polygraph. The questions were all aimed at determining if I had any gambling, alcohol or drug addictions that could affect my working performance. A week after the results came in, I was invited to the final stage of security check which again included a lie detector and was aimed to inspect my ethical characteristics (corruption, sharing information, etc.). The process was conducted by high ranking security services, and I experienced a live version of the famous “Good Cop, Bad Cop” technique. It wasn’t pleasant at all. I was so frustrated at the end that I was going to decline this offer.
When a recruitment officer called me to say that I had passed, I chose to decline the offer. Then she explained why security in airports is so crucial that besides the well-being of thousands of employees, passengers’ privacy and even their lives could be at stake. Though some of the personnel don’t deal directly with aviation matters, their sloppiness can expose the airport to hackers and even terrorists. In fact, the security inspection is only a beginning. Once a person is accepted, they go through compulsory learning on data protection and have to follow a strict protocol on the use of information systems. For example, if they forget to lock their computers or if they forget their login details, they pay a fine. Her explanation was pretty clear. So, I joined the airport.
It was my sixth months when one of my colleagues asked me to help her with her password. She forgot it, and as mentioned earlier, employees have to pay a fine and even face probation. I said: try your Name1234. She replied: this is what you think of me after so much time at the airport, stop being funny and help me out. She looked desperate, and I felt bad for such a remark. I started asking her various questions, and eventually, she did remember it. Her password was: Work1234. The reason she forgot it was because her previous passwords were usually Work2013, Work20131, Work20132. They had to be updated every three months, as it was getting more and more “complicated”, she changed it to Work1234. When she failed 2 out of 3 attempts, she panicked that Information Systems (IS) security team may find out.
I worked at the airport for a year and a half. I had to learn a lot about cybersecurity. For every marketing project that I had written, I had to include statements on assuring information security. Every agency I worked with had to go through full inspection and sign numerous papers on data protection.
I got interested in this topic; I started following the news updates on cyber-attacks around the world and researching progress on these matters. I have noticed that though the public became more aware of it, especially after elections in the US, they still aren’t so cautious about it. For example, many companies either use very primitive information security systems or the ones set by their software providers. Another concern, though there has been a significant improvement in cybersecurity measures, they are usually reactive by nature. Every day we are better protected and more prepared, but mostly from the things that have already happened.
However, the main issue with the cybersecurity is precisely the one I experienced in one of the most secure institutions. The company has taken many actions to make sure that no cyber threat can enter, and it has enforced a strict set of rules to protect its information systems. All the while, it failed to communicate the importance of it. The recruitment officer spent 5 minutes on the phone highlighting the reasons behind such extreme security measures. And yet there was no training on this matter - just a compulsory course on IS protocol. In the case of my former colleague, her primary concern was to avoid penalties. Because it was enforced so rigorously, she panicked at the idea that the IS team might catch her. All the measures to protect passwords with symbols lead to password Work1234. The point is that we are more interested in satisfying the programs we are using (as famous comedian John Mulaney observes proving to robots that we are not robots), rather than protecting ourselves.
The public will not be protected from hacking unless governments start educating people about cybersecurity. The companies are not going to be safe from hacker attacks unless employees understand the principles and value of data protection.
Sign up to our Newsletter and gain access to our expert blog, exclusive videos and research on L&D and Training.