October is Cybersecurity (or, for the less civilized, ‘cyber security’) Awareness Month. Every October, CISA hosts security awareness presentations. Additionally, Cybersecurity Awareness month means an increase in jaded by posts by InfoSec professionals on Twitter and emails from corporate reiterating security basics. There are plenty of positives to be found. Individuals are increasingly familiar with security basics such as using a strong password. Password managers have assisted in that direction. Moreover, two-factor authentication has become more widely adopted, but with some expected grumbles. The largest vulnerability may lie with phishing. It takes a lot of practice and experience for someone to regularly identify a phish. Other times an offer (if real) sounds too good to be true and leaves you questing the requesters motives.
A member of our security team recently received a LinkedIn message from a consultancy group, “working on a project to better understand the cybersecurity optimization space.” For a 30–60-minute phone call, the team member stood to earn a pro-rated honorarium of $400 per hour in the form of a virtual pre-paid Visa Card. The honorarium price increased the following day to $600 per hour after the consultancy associate followed-up. What would you make of this if you received this request?
Some employees would look at this offer as a great opportunity to make a quick pay-out by sharing a few “harmless” details. Others may not think twice, as they might consider this a scam at first glance and ignore the message. A third camp may see something more pernicious. The answer isn’t straightforward, as it requires additional information. The associate who reached out, are they confirmed to work for the consultancy (a firm we confirmed to be real and with a large global presence) or impersonating one? This question directs us to our main point, is this information considered reasonable to share with a third-party, and regardless of who the recipient is, would an employer consider this a breach in confidentiality of company assets? The consultancy associate (presuming this is not a scam) even mentioned the possible limitations for receiving a payment “to individuals who are authorized to accept such payments by their organizations or are not otherwise prohibited to do so by law. Even if you are not able to accept compensation, we would value your opinions regarding this topic.”
There is plenty of open-source information to find on most companies. This rings true for larger companies like Netflix, where you can view some of the tools they use (if accurate) on websites such as StackShare. Actual security solutions are noticeably missing from Netflix’s StackShare page (except OneLogin) and that’s no surprise. It doesn’t make sense to publicize what security tools your company employs, as it offers attackers insights into your security apparatus. Answering questions to “Does your company purchase cybersecurity services or applications from any external vendors?” and “Please indicate which (if any) of the following cybersecurity vendors you a) currently use; b) have use”, involve divulging too much information.
This doesn’t imply that there is anything wrong with taking part in a consultancies Q&A, as it is important for these firms to understand the overarching security landscape. But how this information is revealed is the crux of this issue. When employees sign their hiring paperwork, it will often have clauses that prevent or require approval on earning income outside their primary salary. In addition, there are stipulations on confidentiality and what is considered sensitive and/or propriety. Therefore, if you were to be approached with this honorarium offer from a consultancy or other third-party, it is important to bring this to your employer’s attention to ensure you aren’t breaking any contractual agreements. For anyone in a management reading this, it may be a good reminder to reiterate to your employees what the basic expectations are for sharing companies’ information.