How can #infosec support those who support us?
Remember when I said there’s a whole other blog in the value of Executive Assistants (EA's) on the path to more secure organisations? Great! As discussed, EA’s are invaluable and it cannot be understated. Many moons ago … I was an EA for a partner in a law firm who focussed on personal injury claims. I took this role while I finished my degree off-campus. It was the 90’s and everything was a little bit oldschool by today’s standards..…back then, clouds were in the sky and being on the phone didn’t (usually) involve any angry birds. But while technology may have changed, what remains the same is the trust placed in EA’s to be madly managing ‘things’ in the background to keep their boss’s day running like a well-oiled machine. To achieve this, often EA’s are privy to shared passwords, strategic and commercially sensitive data and key personal information relating to their boss like passport numbers and their partners birth date. This constant stream of data (which is often printed, saved or passed on), makes an EA two things –
1. A lifesaver when it comes to supporting our senior leaders, and…
2. At greater risk of a socially engineered security breach.
They are the gatekeepers, decision makers and go-to people when it comes to information for and about their bosses which often requires making time-sensitive decisions which can lead to increased risk.
I’m not suggesting for one second that EA’s are the cause of all data breaches, phishing attacks or security related mishaps. What I am suggesting is that given the risk that EA’s carry, they should be some of the first people we target and educate as security advocates. Back in the 90’s I wouldn’t have known the risk of my boss sharing his password with me. Nor would I have considered the risk of sensitive information not being in a secure location (obviously this was long before I saw the #infosec light!). These days, we need to approach EA’s as the poster-people of security. For example: they need to be champions of the clean desk policy, have no passwords on post-its, not give out personal information (theirs or others) over the phone and refuse to take action that they feel contravenes security policies (policies which security folk have made consumable for busy people :) )….the list goes on but this is a good start.
EA’s contribute to the success of our organisations and are often supporting multiple senior executives which makes their following of information security principles even more critical. What are you doing to help EA's in your organization become information security champions?