Be a “PAMbassador” and help your workmates be cyber smart
If you are an IT or cybersecurity professional with experience in privilege access management (PAM) solutions, you will have learned a few things.
One is that people are just as important as technology. Cyber smart employees are a huge asset in protecting organisations against risks. And whatever technology is employed, you must take people into account and strike a balance between usability, productivity and security.
Another is that an organisation's cybersecurity journey is never over. As the cyber threatscape evolves and new risks emerge, PAM and other Zero Trust strategies provide new controls to adapt to the changing environment and mitigate risk.
These realisations are not unrelated. PAM is a powerful tool that helps organisations move from a starting point where cybersecurity is bolted on top of existing processes and technologies towards establishing a 'cybersecurity by default' practice.
Going on that journey involves understanding people and how they contribute to the cyber risks that organisations face. It also involves implementing security controls that mitigate those risks in a way that often require people to change those behaviours.
And because of this, the speed of your PAM journey is dependent on how successfully you can engage with people and educate them about the role they play in contributing to cybersecurity – or the opposite.
There is a twofold benefit in helping people understand cyber risks. Cyber smart people can reduce risks to the organisation and be more accepting – even welcoming – of new PAM controls. Cyber smart people will also see how it benefits them personally, relieving them of the burden of cybersecurity and helping them to do their jobs.
That is why if you have PAM experience, you should also be a "PAMbassador" – a cyber ambassador who can offer advice to other employees.
Right now, with the threat of ransomware and risks associated with hybrid working top of mind, there is no shortage of ways to put your PAMbassadorial skills to good use! Here are five top tips from ThycoticCentrify's own PAMbassador, chief security scientist - advisory CISO Joseph Carson.
1. Be cyber smart
Never be afraid to ask for advice. If you see something you're not quite sure about, ask a colleague or a friend for advice – for example, before you click or open an attachment. Organisations should have a cyber ambassador that can offer advice before staff fall victims to ransomware or a piece of malware that will steal their credentials. Asking for help is the cyber smart move.
2. "Phight" the phish
Phishing can appear in many different types of communication, not only emails. Threats can come from SMS, social media apps, messaging apps and many more. It is important to remember that if anyone asks you to perform an action via any of these methods – such as sharing sensitive data, entering a password or opening a link – always be suspicious. Verify directly with the sender using an alternative method such as calling them directly to confirm the request.
Attackers will always try to abuse your trust, so you should always be cautious if your manager or anyone else asks you to transfer money or buy gift cards – because this could be hackers trying to scam you. Never be afraid to double-check – "phight" the phish by knowing when to verify suspicious requests.
3. Explore, experience and share
Cybersecurity is a top challenge for society, and we must all work together to reduce the risks. You are only as secure as the people around you, so it is important to help others learn how to be cyber safe both at work and at home.
4. Use a password manager
Start moving your passwords into the background by using a password manager. You may be using your browser, but your browser security is likely turned off by default, meaning that if an attacker gets access to your device, they'll also have access to all your credentials.
5. Adopt a cybersecurity first approach
Cybersecurity must be usable and be moved into the background. Security by design is no longer enough, and a cybersecurity first approach means that we need security by default. To achieve this, businesses can build security into products and processes, as well as provide training as part of employee onboarding and arming workers with all the tools they need.
The bottom line, according to Joseph, is that people need to start to take a proactive approach when it comes to cybersecurity. Gone are the days when IT teams would be crammed away in a separate room from the rest of the company. Now, experts must be ingrained within business teams so that cybersecurity is literally built into the very fabric of an organisation.
As PAMbassadors, we must take every opportunity to lead the way.
For further information, read ThycoticCentrify's Cyber Security Team's Guide: Balancing Risk, Security and Productivity research report here.
About the author
Andrew McAllister is A/NZ vice president for ThycoticCentrify, a leading cloud identity security vendor that enables digital transformation at scale and leads the team of cybersecurity professionals who deliver world-class solutions to protect organisations.