When it comes to advocating for cybersecurity in today’s climate of supply chain attacks, ransomware, and political instability, pointing fingers at who’s responsible won’t get any of us very far. I believe, instead, that there’s an imperative for everyone to be a security advocate. I’ve learned that it’s more a mindset than a specific role or responsibility.
Take, for instance, the common “if you see something, say something” signs plastered along the NYC public transit system. We’re training the public to be on the lookout for potential risks. The same goes for the tech industry when it comes to securing our most valuable assets. But how exactly do we do this at Salesforce? With the help of our customers!
Put it on loop
At Salesforce, our customers place immense trust (our number one value!) in our ability to keep their systems running and their data secure. In the medical industry, this might be patient information. In the financial services industry, it might be investor accounts. And countless governments and localities use Salesforce to track COVID-19 vaccinations. Considering the sensitivity of this data, a successful attack by hackers could be catastrophic. Our customers deserve to know what security precautions we take and why they should trust us to hold their data.
As a Director of Information Security for Salesforce, I spend most of my time doing security advocacy work as part of the Security & Compliance Customer Success (SCCS) team within Salesforce’s greater Information Security organization. In addition to educating customers about Salesforce’s security innovations, my team also advocates on behalf of our customers to internal product and engineering teams, creating an important feedback loop.
Information security is a journey, and Salesforce recognizes the importance of learning from our customers’ security requirements and innovations so that we can continually improve. My team is a conduit for channeling these ideas to the correct engineering teams within Salesforce, and to Salesforce leadership and executives for visibility. We advocate to Salesforce leadership and product teams on behalf of our customers to drive continuous security uplift. We’ve also developed tooling to track and manage any security concerns raised by our customers so that even the highest levels of our leadership have visibility. Being this critical voice of our customers’ needs is all part of our defense-in-depth approach to security. This is an approach that layers technology, process, and people, to try to prevent any single point of failure.
Learn the security basics
If you see something, say something
When it comes to the “people” part of our approach to security, every Salesforce employee plays a critical role. We don’t want to make our workforce paranoid. However, we work hard to train them in identifying suspicious activity that could mark the beginning of something more serious. Phishing emails are a great example of this. According to experts, between 75% and 91% of attacks begin with a malicious email. Today, these social engineering attempts to con people into clicking on nefarious links or giving up secure information also extend to text messages, QR codes, social media, and the dreaded robo-call.
The term “con” as used in the phrase “con-artist” or “con game” derives from the word “confidence”. Cons inevitably rely on gaining the confidence of the “mark” or victim by using psychology. The con artist may play on the victim’s desire to help, or the victim’s ego. Who wouldn’t hold a normally locked door open for someone struggling with two dozen boxes of pizza at lunchtime?
Similarly, attackers may pose as neophytes in the victim’s industry, and attempt to establish a connection with the victim via social media (connection requests generate dopamine in our brains which make us feel good). The attacker may then ask “innocent” questions, aimed at gaining a deeper understanding of the tools and procedures in place in the victim’s company.
The recent interaction below highlights how once the attacker has primed the mark to get used to answering questions, they will often escalate the conversation to try to get information they shouldn’t have access to. In this case, the information could be used to either impersonate me or identify others in my circle.
Every year the venerable DefCon hacking conference holds a competition where professionals call a target company and attempt to “innocently” elicit internal information using various guises and ruses. Watching the results of these professionals is educational and bone-chilling.
The whole world, in your hands
While information security teams can take steps to reduce the amount of malicious emails and test file attachments, nothing is foolproof. We need everyone’s help. The types of attacks outlined here (along with countless other cyber threats) require every employee to have a mindset of being a security advocate on behalf of their employer and customers.
How do we as leaders engage our workforce to act as security advocates on our company’s behalf? We’ve found that by making it fun, and ensuring that employees feel both empowered and valued makes a world of difference. I recently received this email below from Salesforce Security after reporting a phishing attempt. I am congratulated, thanked, and the impact of my small action is made clear to me.
Of course it’s unrealistic to expect a 100% success rate in preventing employees from interacting with a risky email. Statistically, 12% of individuals who receive malicious attachments will click on them. If your company has more than a handful of employees, your odds aren’t great. But that only underscores the importance of security education for all.
We find it important to not make employees who’ve clicked on something they shouldn’t have feel like they’ve failed. Instead, these employees should be reassured that they can do better next time, and provided with links to further training. We have found that positive reinforcement leads to significantly better results than shaming does.
Start here
At Salesforce, we don’t just build security into everything we do. We share our tools and lessons learned with our ecosystem of customers and partners. We do this because we know that if we can all be better at keeping data private and secure, then we can focus on innovation and growing stronger together.
I hope that this blog post has provided you with food for thought. I encourage you to become a security advocate and to enlist others to do so!