By: Mark Sangster, VP, Chief of Strategy

I recently listened in on a call with senior executives of an international organization that learned about a clever scheme going around that sent alerts to employees and then impersonate their HelpDesk to lure victims into installing a rogue remote access tool.

A deeper analysis revealed that over 200 employees had downloaded the malicious remote access tool, and a baker’s dozen computers had been infiltrated and exploited.

One executive discussed terminating the employees because “they should know better,” while another stated how she always reports these “obviously fake” emails and would “never violate company policies.” Unfortunately, she didn’t report this phishing campaign, or they would have noticed sooner. What’s worse, one exploited employee spent the weekend in fear that Monday would bring her termination for infecting the company.

This incident serves as a sobering reminder of the need for collective learning. A thorough coaching session with this executive team would’ve reinforce their obligations and emphasize the fact that this was not the first time something like this has happened. In the past, they had greatly affected by a ransomware outage that cost the company millions. However, these incidents should be seen as opportunities to learn and improve.

If they had implemented controls to administrative access on devices, it would have prevented unwanted application installations and should have been detected by their monitoring services. The point of this story is to remind us that cybersecurity is a team effort in which every level of the organization has a responsibility to know their job and carry their pack.

It is also a reminder about the crucial concept of expect-actions: the combination of employee expectations in each situation and the actions they take (or do not take) in response. Understanding and applying this concept can significantly enhance an organization’s cybersecurity.

Managing Employee Expect-actions

These are all examples of Expect-Actions. So, what can leaders do to ensure employees are part of the solution and don’t add to the problem? Here are four things to consider:

#1 Employees deserve to know.

Ten years ago, a large, privately-owned manufacturer was hit by a ransomware attack. Employee communications were laissez-faire and brushed off the impact on employees and their stolen financial and healthcare information. One employee filed a police report and made the incident public.

Remember, in a cyber incident, employees are potential victims too. Their records might be exposed and stolen. That’s their financial information, secondary information used to validate their identity, and healthcare information. To correct one misguided CMO, exposure of this kind is NOT the same as “information surrendered when writing a cheque in a store.” It’s not even close.

Treat your employees like stakeholders because they are. Keep them informed, be compassionate, and consider that their socio-economic factors differ from yours. They are sacred for their livelihood and financial future.

It’s also essential that employees respond to the situation. When Equifax was hit in a cosmic-scale data breach, unformed employees engaged customers with the regular flair of company cheerleaders. Customer calls and chats started with introductions like “Happy Friday! You’ve got Steve ready and willing to help with your customer service needs today!” Below are a few customer responses:

#2 Establish rules of engagement.

Every employee should know their role throughout an incident, from early stages, like reporting a potential phishing scheme, to handling media inquiries in later stages when the incident is exposed publicly.

For those behind the camera, ensure employees refer the media representative to the proper people after collecting the journalist’s name, outlet or publication, deadline date and time, nature of the request, and relevant contact information. But remember, you are not obligated to answer direct questions from journalists. Be polite, not speculative.

#3 Good intentions can lead to bad outcomes.

Sometimes, good intentions lead to negative consequences. When DLA Piper was struck with ransomware, a well-meaning IT employee placed a whiteboard in their lobby warning clients and employees of the attack and asking them to avoid connecting to their network. Clients took to social media in frustration, and within hours, national media outlets were filling their news hour with the emerging story.

This incident reminds us that cybersecurity is not an IT problem to solve; rather, it’s a business risk to manage.

When I tell this story in boardrooms, executives often react judgmentally and rail against employees taking unilateral actions. Imagine, if their actions had helped protect the company, the employee would have been hailed as a hero. So, it’s an ambiguous line to cross. Erase the ambiguity by creating a decision-making matrix. Detection of potential incidents should flow upwards to leaders tasked with critical decision-making. These leaders must consider the potential consequences (second order of effects) and find the least bad option when things aren’t going the organization’s way.

#4 Avoid misrepresenting the company.

In a similar incident, the CEO of a firm met the press out in their parking lot and pretended to be a mid-level employee to convince the local TV reporter that there was “Nothing to see here.” Move along. Of course, the next day, he had to go in front of the same cameras (and reporter) to admit to the incident. You can imagine how well his 180-degree turnabout went and how favorable the resulting overage was.

When it comes to media inquiries, it’s important to communicate specific responses. Media representatives will call and email multiple levels of the business or organization. In most cases, costly sound bites result from flustered employees trying to do the right thing. Or, in the case of an untrained executive, taking matters into their hands using grade-school drama techniques.

Only authorized representatives should conduct media interactions. And these people should be trained. There is a litany of “what not to do” videos on YouTube showcasing executive blunders: The CEO of BlackBerry melting down and storming out of a BBC interview because the interviewer was more interested in their tanking stock than the launch of the late-to-market tablet, The CEO of a major food chain singing “We’re in the money” while being interviewed about a merger with their next largest rival (subsequently the deal was stopped by the British Parliament), and of course, the CEO of BP lamenting about “wanting his life back too” after the sinking of the Deepwater Horizon flooded the Gulf Coast in billions of gallons of unrefined petroleum (not to mention to loss of life and livelihoods). Representatives must be trained to manage the glare when the red light goes on.

Empower Your Employees

Employees can make a difference in a cyber incident. The best thing leadership can do is prepare their teams to manage an incident. It means considering cyber risk through measuring obligations to budgeting, training, and testing and building our incident response planning and teams. They are your greatest assets during an incident. AI won’t help you. As one CEO under a ransomware attack lamented, “cybercrime is a crime you have to manage on your own.” He is right in one respect. Heavy is the head that wears the cyber crown. But you’re not alone. You have your team. Lean on them. Know their expectations, set clear guidelines, and give them the what and not the how. This will empower your team to be solution-makers.

At the end of the day, cyber incidents are complex and emotionally stressful. Adlumin’s Security Operations as a Service Platform can help prepare your executive leadership and provide no-obligation security briefings.