Turning Adversarial Users Into Allies

An employee just sent an email to our security team, “Tomorrow is my last day and I’d like to move some personal pictures I saved on my work drive to a personal drive. Just letting you know and I’ve copied my manager so everyone is in the loop. Let me know if you have any questions.”

Whaaat? Since when do employees call out “I’m about to do something” to your security team? Is this just a randomly odd security minded employee? Yes…and no. At Code42 we’ve intentionally mended the gap between employees and the security team and we work harmoniously together to protect the company. Sounds utopian and surreal but I’m here to tell you it can be done. It’s not hard, but depending on your current situation it may take a bit of time to build out.

Let’s start with day one. Do whatever you can to get a security presence in onboarding. If you can only get 5 minutes, take it! That’s where you’ll plant the seed that you aren’t “out to get them” and that you need their partnership and expertise to protect the company. Let them know you’ve got their back but there’s also only so much you can do without them. Instruct them on how to reach the security team with questions or to partner with new projects and where to look for important security updates. Inform them how to report concerns and/or suspicious emails, phone calls, etc. I let them know that we are going to phish them, not to trick them but to help them develop their muscle memory so they can quickly spot and report suspicious emails. But the most important thing you can do is let them know that you will not report them upward or get down on them if they make a mistake, unless perhaps that becomes an ongoing problem.

If you can do that, congratulations! You have just laid down a big, colorful, inviting welcome mat with your newest employees. The relationship is off to a great start. But as with any relationship, you must work to maintain the good vibe.

If you’ve got additional monitoring tools, this is also a good time to have that conversation. We’ve (obviously) got Incydr which watches for data movement off and onto our trusted environment. Are we sitting around waiting for them to exfiltrate data? Of course not. We don’t have that much time on our hands. So we ask folks to let us know if and when they have a business (or personal) reason to do this so our team doesn’t waste time going down a rabbit hole for no reason. Also, to avoid getting that awkward call from the security team, if they proactively let us know, we can perhaps provide suggestions for moving the data in a way that better protects it; with an encrypted drive or suggest an approved storage or sharing solution they may have overlooked. They are on our front end defense team, and they can rest assured that we’ve got their backs if they forget or mistakenly move data to an unapproved source. Is there ever a need for discipline? Of course but unless there’s solid evidence of malicious intent it’s likely just an opportunity to educate and course-correct. We always start any conversations by presuming positive intent, which, let’s be real, is most often what’s going on when our corporate data leaves us.

Our Insider Risk Management team does an awesome job at presuming positive intent. If confronting employees lands on folks on your team who are not as comfortable with having those types of conversations with your users, we’re happy to share the templates our team uses to keep the tone positive and productive. Every company has its own culture and messages should reflect that, but here are some generic phrases you can start with or give your teams to use, that support a positive relationship between users and the security/risk team:

Our records indicate that you are overdue on your security training. Can you confirm?
The user will probably come back with something like, “Sure, how do I do that” which helps shape the conversation that they just need more education on how to use the LMS, for instance.

It looks like you may have clicked on the last phishing email with the subject “XYZ”. Does that sound right?
Most often the responses I get are, “Shoot, it’s true! I’m usually much better than that.” Which tells me they have pride in not clicking on links and had a human moment. Remind them that it helps protect the company if they let the security team know if they have clicked on a link they shouldn’t have. If it is truly malicious, we can get to work on it right away. If it is just an exercise, we still want to rest assured that they know they need to report it to us and how to do so. Those are metrics I value as much as, if not more so, than click rates.

Attackers can find their way into corporate networks and often do so to steal data. Our security tools are set to alert on any data moving off our network so we can look into whether it is one of our own just trying to get work done or if we should further investigate a potential security incident. We are showing that the following data was moved from to on your account and we didn’t get a head’s up from you. To help us minimize data loss, can you kindly confirm by & if you are aware of this? If we don’t hear from you, we will assume it is unwanted data leakage and we will need to , to minimize the damage.

If no response, then you may have a malicious case on your hands and you can use the below follow up.
We sent an email to you on and requesting an urgent response and have not heard back from you. To protect our company, we have or to help minimize damage. If this was an intended action by you, please respond so we can reverse course and get you back up and running.
If they respond and tell you it is true and give you a valid reason for doing so, use it as a teachable moment and remind them how helpful it is to get a head’s up for next time.

These are simple suggestions to begin an email and more info is likely needed. Not all cultures will find an easy path toward this type of synergy between users and security but there’s no better time than now to get the ball rolling. If you are a larger enterprise, consider using the tone of these suggestions to put into your templated responses.

If you’d like additional information on how to monitor for unwanted data movement in your organization, check out how Incydr works. If you just want to chat about creating productive security cultures at your organization I’d love to connect any time. You can find me on LinkedIn at https://www.linkedin.com/in/chrysa-freeman/.

For more blogs from our extremely talented Code42 security team, find them at redblue42.com.