By / November 25, 2024

Administrative professionals have an important role to play as information security champions, explains Lea Forster

Early on in my career, I received an email one morning from a colleague. It was the story of Little Red Riding Hood. Her mum asked her to deliver a basket to her grandmother and not to stop anywhere and not to talk to anybody. Of course, Little Red Riding Hood didn’t quite listen, so she stopped to pick some flowers and spoke with the wolf. And then, the email said that something unexpected happened and “click here to read what happened next”. Of course, I clicked. Nothing happened. I clicked again. Nothing happened. I was about to email my colleague asking them to resend the email when our IT team asked all staff to delete the email. They never fully explained why, and it was only later that we learned it was a virus that sent the email to all contacts in our email address book each time somebody clicked the link. Given we were around 3,000 staff, we nearly crippled our email system.

It may seem that we have become a lot more sophisticated and knowledgeable in how we work nowadays. However, it wasn’t until I started in my current role around seven years ago that I received any information security training. Administrative professionals can be one of the biggest targets given the nature of our roles and our access to our executives. We have an important role to play as information security champions.

What Is Information Security?

Information security is more than just your computer or phone, your password, and the internet. It is anything that contains or generates information within your device and office. This means it could be things like files and papers on desks, printers, and in cabinets, information shared during discussions and meetings, post-its on walls, and information stored in online applications.

What Are Some of the Key Risks to Be Aware Of?

Distraction

We pride ourselves on our ability to multitask and juggle a million things each day. But this is one of the biggest risks because if you don’t pay attention, it doesn’t matter what protection you have in place, how strong your passwords might be, and how up to date your computer system is – all it takes is for you to be distracted and clicking on a link or opening an attachment that might be malicious.

Double the risk

We represent our executives. We live out of not only our own email inboxes, but also those of our executives. Cyber attackers know this. They know we are expected to be super responsive, so we are likely to open attachments when they are sent, and there is a risk that we might click on something without thinking about it.

Documents left on printers and desks

Imagine this: your executive asks you to print a sensitive document to be included in the Board pack. Your printer is in a central spot in the office. So, you time it carefully, press print, and prepare to sprint to the printer before anybody else gets there. But then, you are the go-to person, so you get stopped to answer a question or to help somebody connect to Teams in a meeting room, and before you know it, you are back at your desk completing the next task off your list. Then suddenly your manager asks if you printed the document and you remember it must still be at the printer, except by now it has been moved, and you don’t know how many people saw the document.

Eyes and ears around you

Just recently I was on the train and the person next to me was furiously trying to finish an important and sensitive presentation. As much as I tried not to look, it was hard not to notice what they were doing. I also work in a building with other businesses, and this means other employees share lifts with us and often continue a discussion from their meeting. With the more flexible way we are working now, we can find ourselves conducting more frequent virtual meetings at our desks or in-person meetings in more public spaces, potentially sharing confidential and sensitive information.

Impersonation

Cyber attackers sometimes create email addresses that make it look like the email is from your executive. There have been cases where the Assistant received an email appearing to be from their manager asking them to do something urgent like sending information, completing a financial transaction, or buying things like gift cards.

Unauthorised access

If you work in a larger organisation, how many times have you stopped somebody you don’t recognise to ask them if they are meant to be there? Do you genuinely check that nobody follows you into an access-restricted area? At our organisation, we have conducted some authorised exercises with some of our clients to test how quickly our consultant could find his way onto a floor, into a server room, and be able to send a message from an unlocked computer. We have often found that it was almost effortless for our consultants to gain access without anybody stopping them to verify.

Be mindful with AI

AI applications like ChatGPT are amazing tools that can save us a lot of time for some of our more repetitive tasks. However, anything you share in the public and open versions of these applications can become publicly available as soon as you press submit.

How Can You Work Safer?

It goes without saying that you should do the usual things like activating multi-factor authentication, storing and creating complex passwords using a password safe, and not using free Wi-Fi at places like the mall or airport. Some of the other things that you could consider include the following.

  • Stop, think, triple check; check that email and that you have the right attachment and recipients. Take a step back and check it one more time before you press send.
  • Critically consider any email requests you might receive to work out if these are legitimate.
  • Don’t discuss sensitive and confidential company information in public places…and this includes your reception area and the lunchroom.
  • Be mindful of what your online meeting recipients or your colleagues can see or hear during your meetings. Use a virtual background and consider meeting in private spaces.
  • Always lock your device when you step away from your desk and log out of applications.
  • Keep a clean desk by the end of your workday.
  • Don’t install applications unless you have checked with your IT team.
  • Hover over links to see the destination and check the email address of the sender before you open attachments and click on links.
  • If somebody who you don’t recognise comes onto your floor or tries to follow you through an access-control door, stop them and ask.
  • If you use the public or open versions of AI like ChatGPT, use generic prompts and avoid including sensitive, confidential, and personal information.

How Can You Become an Active Information Security Champion?

Information security is not limited to your IT team. We all have a role to play to protect our organisations and our information. And you are perfectly placed to become an information security champion for your organisation.

Advocate for security awareness training

All staff, including administrators, should be included in security awareness training. Include this in your induction and onboarding programmes, and advocate for regular refresher sessions.

Contribute to artefacts like clean desk policies

Check that your organisation has artefacts like clean desk policies in place. If not, advocate for these, and speak up if somebody is not following them.

Participate in tabletop exercises

A tabletop exercise is a simulated event like a pretend ransomware attack where a group of individuals participate to consider and solve a scenario and then determine what processes need to be followed.

You might be aware of the more recent CrowdStrike outage. Whilst this was not a cybersecurity incident, it demonstrated that organisations should consider how to access information when it cannot be accessed online.

In your role as administrator, you could be the one to see an email to your executive from somebody like a cyber attacker if your system was compromised. It is important that you know what to do, and the role that you will play.

Understand privacy

Become aware of the privacy regulations that apply to your organisation. Understand what is considered a breach and how that should be handled.

Be informed

Read reputable sites to gain a better understanding of some of the common risks, threats, and attacks. This will enable you to be more aware and responsive in the right way.

Ask the right questions

Recently we considered signing up for a Board portal subscription to manage our governance requirements. We discovered that some of the options would likely not meet our security requirements. Ask questions to gain a better understanding of whether they have the right security certifications in place, how and where they store data, and if they have security reports they could share. Ask your IT team to support you in your security assessment of applications.

Share this article:

Lea Forster is the Executive Assistant to the Chief Executive Officer at SSS – Cybersecurity Specialists in New Zealand and the recipient of the 2024 OfficeMax AdmiNZ Administrative Professional Award. Lea has worked in the cybersecurity industry for the ... (Read More)

Leave a Reply

Your email address will not be published. Required fields are marked *