CHAPTER 5

Security Awareness and Employee Resilience

If someone were to ask me what the most important chapter in this book is, I would pick this one. Security awareness forms the very heart of a corporate security effort and will determine whether security policies, measures, and strategies will be effective or not.

You can have the most advanced security systems in the world, the most properly equipped security teams, or the highest level of physical security, but if there’s not a sufficient level of security awareness throughout every layer of your organization, the chances are that all those measures will eventually fail. Security, and especially counterintelligence, is a science that revolves around human nature, reactions, choices, and behavioral patterns and at the end of the day could very well be considered a social science. From a practical perspective, it also means that humans are the most valuable asset as well as the most hazardous threat when it comes to security and counterintelligence.

This chapter will teach you how to optimize the former and minimize the latter to the greatest extent possible. Security awareness is a trait that every member of an organization and those associated with it should possess. Managers, employees, supervisors, contractors, clients, visitors, and vendors all need to have a sufficient level of security awareness in order to reduce the chances of loss events as far as possible. A culture of safety, security, and counterintelligence needs to be created in order to make counterintelligence efforts as efficient and smooth as possible. I’m writing this chapter to create mindfulness as I’ve witnessed firsthand how many businesses from all industries have suffered dramatic loss events because of poor security awareness and employee resilience. In terms of counterintelligence it is important that a company makes its employees resilient and prepared for hostile intelligence activities. If everyone abides by the same standards and principles, chances of disclosing sensitive intelligence are reduced significantly.

Over the course of this chapter, you’ll learn the following:

• The importance of a security culture in every layer of an organization
• Methods to increase security awareness through every layer of an organization
• The importance of double loop communication
• The dangers of employee manipulation and corruption in today’s corporate establishments.
• Methods to increase employee resilience against hostile intelligence activities
• Ways to motivate people to become part of a solution.

Security, safety, and counterintelligence awareness is important for every business regardless of its operations or activities. The methods and strategies explained in this chapter will be applicable to all corporate environments regardless of their scale or fields of expertise. Addressing security awareness and employee resilience is addressing the entire dynamic of an organization and the way in which that organization performs its day-to-day operations.

The Importance of a Security Culture

Security, safety, and counterintelligence are more than just a few measures and strategies put together. They should be a way of business, a way of life, a culture that needs to spread through every layer or aspect of a corporate environment and inspire as many people as possible along the way. Everybody—not just regular employees and managers—should feel the inspiration in order to contribute to the overall security and safety of the organization.

Think about cleaning ladies, suppliers, visitors, contractors, clients, vendors, everybody who is associated with a business in one way or the other.

This principle lies at the heart of security awareness and is one of its most important aspects.

Loss events, accidents, disasters, or other negative events are often caused willingly and unwillingly by employees, contractors, managers, visitors, and other parties directly or indirectly associated with the organization. Most of these events are caused by unawareness, defiance, and poor focus. Examples can include mistreating or abusing dangerous operating machines, disclosing sensitive information, and misplacing sensitive objects. Much of the risk a company is faced with originates within the company itself. With the various processes and operations going on throughout the day in a regular work environment, it becomes all the more likely that accidents or loss events can occur.

With the incorporation of cyber equipment and IT infrastructures within corporate environments, new threats and hazards such as phishing, social engineering and malware require employees and users of such infrastructure and equipment to be more aware of the dangers and hazards and the ways to properly conduct tasks on such systems. Apart from that there’s the danger of cyber infiltrators looking to steal sensitive intelligence or corrupt the digital operating systems of a business. The results of these attacks can be devastating for a corporate environment.

In a growing development, the staff members of organizations are targeted by hostile parties such as criminals, competitors, and in rare cases even terrorists. This is because such parties understand the vulnerability that poorly educated and trained staff members pose to an organization.

By becoming more aware of the threats and hazards that are out there staff members and other parties associated with the organization will become more resilient to such threats.

It is important to integrate security awareness into every aspect of an organization. Look at it like a strong metal chain that needs to keep two different objects in balance. If there’s a weak link in the chain, the chain will fail in its duty and the objects will fall apart.

The same concept can be applied to the security effort in an organization. Without security awareness among staff members and other involved parties, there’s no foundation of security; without a foundation of security, measures and systems will become much less efficient and will fail to live up to their potential.

Think about the security or counterintelligence effort as any other operational or business-related effort. There has to be a cohesive unity inside the company in order to achieve any objectives that have been set. If that’s not the case, the quality of the effort will not be as it should be and objectives will most likely never be achieved. The same is true for a security effort. In order to integrate security and counterintelligence within a corporate environment, everyone should have the same objectives in that regard. By having common objectives in place, you will start to form a cohesive unit that operates as one to achieve the goals and objectives set.

Therefore, the importance of a security culture within a business is that it reduces the probability of unnecessary risks transforming into disastrous loss events as well as making the organization as air tight and resilient as possible against infiltration and manipulation attempts from hostile parties. Prevention will be optimized by increasing the chances of suspicious behavior, dangerous patterns, and accidents being detected at an early stage. See every person associated with a company as a security measure having the ability to improve its security model and efforts.

Apart from the protection of assets, data, and valuable intelligence, security awareness is important for other operational features such as product quality, invention, and distribution. Company inventions and products are often created with the use of advanced and potentially dangerous machinery or other professional equipment. Accidents happen all over the world at businesses from every industry because people are often poorly educated and unaware of the hazards of those machines, systems, and pieces of equipment and the way to use them in a safe and responsible manner.

Through proper safety awareness and instruction, companies and supervisors can dramatically reduce the chances of accidents, disasters, and other loss events, saving the business tons of money. The same example can be applied for something less technical such as a cash register. If you don’t know how the register works, the chances are that you will leave it open or vulnerable to theft. Awareness should be more than just a security measure; it should be a guideline of performance that echoes in everything you do.

Methods to Increase Security Awareness through Every Layer of an Organization

As you can see, security awareness is a vital ingredient for the protection and safety of a corporate environment regardless of its products, services, and operations. Security awareness should stand high on every corporate agenda, and it should be integrated into a company’s operating procedures and pretty much every other activity the company undertakes. Increasing security awareness among employees, managers, supervisors, and pretty much everyone else who is associated with the company in one way or the other is a matter that requires more than mere training sessions, newsletters, or updated policies. It requires the company to reach out to everyone associated with the business and provide them with a feeling of unity and validation.

Most employees are prepared to do a lot for their employers if the circumstances are right. As a manager or a company, it’s an important duty to make employees, clients, contractors, visitors, and other parties associated with your business to feel valued and part of a greater unity. If those ingredients are applied, employees will automatically become more motivated, productive, enthusiastic, and aware of security and safety hazards.

Security awareness can work only if people associated with a business feel a certain amount of loyalty toward it. Make them want to help protect and safeguard the business. Over the course of this chapter, I will discuss multiple strategies for increasing interactivity between management and employees as well as the various ways in which a company can reach out to its employees and make them feel valued and part of a solution rather than a problem.

Like I said earlier, people can be the biggest security hazard as well as the greatest security asset. It’s up to the company itself to determine in which category its employees will belong.

I’ve selected a few methods to increase security awareness through every layer of an organization. As a business leader or manager it is up to you to determine which ones are relevant for your organization.

The following methods will be explained over the course of the next few pages:

1. Double loop communication networks
2. Clear policies and guidelines
3. Training and seminars
4. Newsletters and regular updates
5. Recognizing excellence

These principles are very broadly applicable and are therefore perfect universal methods for corporate environments to integrate in order to increase security awareness and efforts among employees and various other parties associated with the operations of the company.

Double Loop Communication Networks

When it comes to security, safety, counterintelligence, and overall efficiency, communication is often the most important ingredient for success. Proper communication networks allow us to disseminate important intelligence to the relevant parties that need that intelligence in order to conduct their operations efficiently and responsibly.

Communication allows us to move faster, become more productive and efficient, and attain a better understanding of why we’re doing what we’re doing.

Apart from that, communication is also a great way to boost morale and interact with people at every layer of an organization. This interaction gives people the feeling that they’re valued and are an important member of the organization. It also gives them more motivation to work harder and be more focused as they feel that their activities can have a positive impact on the company. This, in turn, will lead to more loyal and motivated employees who will become more efficient and creative because of this clear method of communication. This creativity can, in turn, be used to inspire new policies with ideas from various employees.

The more interactivity and unity within an organization, the more harmonious the organization becomes. The more harmonious the organization is, the more efficient it will be in all its endeavors. Unfortunately, many corporate environments have no proper communication networks, preventing them from optimizing their natural assets such as their employees and causing employee dissatisfaction, which, in turn, leads to reduced morale, motivation, and focus, and sometimes even hostile intentions toward employers.

If this is the case, there is no luxurious security system or software out there that’s going to save you now!

Double Loop communication is a term used to describe a clear and an efficient network of communication that travels through every layer of an organization—from the bottom all the way up to the top and then back again. From a practical point of view, this means that certain intelligence coming from the bottom of an organization, let’s say the cleaning staff, travels all the way up to the upper management, who will carefully examine it and come to a conclusion. Once this is done, the upper management sends it back through all the layers of the organization to the end recipient, which in this case is the cleaning staff. They will either be satisfied with the conclusion or measures that the upper management has selected or they might think improvements to the strategy can be made and send their feedback all the way up again.

This communication loop allows every layer of an organization to interact with other layers and allows for a swift dissemination of problems, hazards, obstacles, and measures to all designated parties. In most corporate environments, each layer is isolated from others and often concerns, problems, and obstacles at the bottom rarely reach the upper management and even if they do, they almost never will be looked at seriously. This is a huge problem because the employees at the bottom experience many issues and obstacles firsthand.

They also often know the cause and answer to those problems. Ignoring such valuable intelligence is like shooting yourself in the foot.

Security awareness can be increased only through proper communication networks that will allow every tier of an organization to disseminate valuable intelligence to another. This can work only if every tier of the organization is taken seriously and is valued. From a counterintelligence perspective, double loop communication is a great addition to a corporate environment as it allows you to gather valuable intelligence from a large variety of sources, this intelligence can, in turn, be optimized as a way to enhance security by making people aware of the dangers and hazards that are relevant for their day-to-day operations.

Clear Policies and Guidelines

Another aspect that is often overlooked is the importance of clear and universal policies and guidelines that every member of an organization needs to abide by. These policies can be focused on security, safety, operating procedures, employee conduct, and professional ethics. Each of these policies can, in turn, optimize the counterintelligence and security effort.

The importance of policies is that they are universally applied across all layers of an organization. This way operational continuity and safety practices will be improved and every member of an organization knows what’s being expected and which values to uphold. The problem with many policies integrated by corporate environments is that they’re often everything but clear and not well known throughout the organization. If policies and guidelines are not disseminated properly to every layer of an organization, there won’t be a lot of people who will abide by them.

Again, communication is key when it comes to making people aware. In my opinion, supervisors need to make sure that the policies and guidelines regarding safety practices, security, employee conduct, and operational procedures are understood by every new member on the work floor. If you allow people to make up their own routine, the harder it will be to change the ways in which they perform. That’s why it is so important to make the understanding and integration of the relevant policies and procedures a fundamental value for every new employee in the work environment.

When it comes to security awareness and counterintelligence practices, policies and guidelines are a fundamental aspect of any security effort in a corporate environment. Policies and guidelines need to consist of a large variety of methods and operating procedures that every member of an organization needs to abide by in order to increase security and safety. These policies and guidelines should be compatible with the threat and risk profile of the company and should therefore be carefully constructed and integrated.

For example, a clean desk policy is one that most modern enterprises and companies employ. This policy means that every piece of sensitive information, or company documents, needs to be stored out of sight and not left unattended on a desk where it would be accessible to third parties—a great policy that functions in full compliance with counterintelligence principles.

Many companies tend to have a just do approach when it comes to creating policies and guidelines and often copy the policies of competitors just to abide by the latest trends and practices. Although considering the latest trends can indeed be valuable for a company, it is the particular situation of your company that will determine how your policies should be built and integrated.

Security awareness and counterintelligence policies should consist of the following basic aspects:

• The responsible use and dissemination of company intelligence
• Employee confidentiality in terms of company practices, and intelligence
• House rules that every visitor, client, and other third party needs to abide by
• Safety procedures and considerations when working with hazardous materials
• Clear methods to disseminate information to designated parties
• A complete overview of proper operating procedures from start up to finish
• A footnote of points of interest that employees need to pay extra attention to, which are backed up by the threat profile of the company.

There are tons of other principles that can be integrated into a policy. However, the most important aspects of a proper policy or guideline are that the policy is compliant with the risk profile of the company, provides the members of the organization with clear procedures on how to conduct their duties in the safest and most responsible way possible, and can be easily disseminated through every layer of the organization.

Training and Seminars

Training and seminars are a great way for a corporate environment to increase security awareness on the work floor, making people aware of certain dangers, hazards, and threats. They also give employees the feeling that management is willing to invest in them and genuinely wants to help them grow and improve in their professional endeavors. Training and seminars are, in my opinion, perfect partners of proper policies and guidelines. Overall, policies and guidelines are relatively global and basic.

Training and seminars can help provide employees with a deeper understanding and the reasons behind those policies and guidelines. Training and seminars are perceived as a waste of time and resources by some organizations; however, they can be a great morale booster for employees as well as a great opportunity for enhancing their security awareness, making them more efficient in their duties, and making the company a much harder target.

Apart from that, we must remember that trends and practices in the security industry change continuously. In my opinion, training sessions and seminars should be held every couple of months in order to keep every member of an organization up-to-date with the latest threats and safety practices and procedures.

Creating proper training sessions and seminars is another aspect that is often overlooked. In my opinion, training sessions and seminars need to consist of various topics and different dynamics in order to keep attendees motivated and focused. A practical component in the training session is not just fun but also a great way to quickly integrate new skill sets and ideas into employees and measure their progress.

I always recommend to clients that they plan a training day for their employees that should be fun and motivating while at the same time providing them with a knowledge and understanding that will help them in their specific duties and help maintain security and safety on the work floor. In my opinion, a training day should be carefully constructed and focus on the specific threats or obstacles the company is faced with. For example, there’s little use in planning a training session that discusses shipping risks when your company is a consulting firm. A consulting firm should for example pay attention to new and sophisticated ways of protecting client records and enhance their knowledge on how new threats and risks in the industry of their clients can affect them. Make the training compliant with the security and counterintelligence threats your company is faced with!

Newsletters and Regular Updates

Newsletters and regular updates in the shape of, for example, corporate e-mails are a great way to keep members of your organization up-to-date with, and aware of, the latest developments, trends, threats, and obstacles. Newsletters can contain important information such as adopted policies, new trends, and certain threats and risks that the company is faced with. Besides this, they can also include positive and inspiring content such as a tribute to a certain employee who has excelled over the last couple of months or who has done something extraordinary in his free time like climbing Mount Everest or providing an entire community center with a more secure network.

Many companies have tried to integrate newsletters or other forms of regular updates but most have failed in this endeavor. One of the best cases I’ve come across was that of the large store chain V&D (Vroom & Dreesman). They issued newsletters to supervisors over all stores and departments. Not a bad effort was it not for the fact that the supervisors where either neglecting to hand them out and if they did didn’t provide the proper feedback. This resulted in employees to not even take a look at the letters and emails they received because they had the feeling it wasn’t of importance to their day-to-day operations. The most common complaints I’ve witnessed were that employees almost never received them, or if they received them, never paid attention to them. Here’s the cause for such a situation: The mail box of an average employee is constantly full, meaning that the employee will select only the e-mails that are the most relevant to his current tasks and duties. Newsletters that are just handed out to employees without any further explanation also don’t work as the employees are continuously busy during the day and will not have time to read them properly. The newsletter just ends up inside a pile of other irrelevant paperwork and will never be touched again.

The solution lies in the actual discussion of the content. I always recommend companies to have weekly meetings through every layer of the organization. During those meetings each division’s supervisor will discuss the contents of the newsletter or corporate e-mails with their employees. This way you make sure that the contents of the newsletter or corporate e-mails are successfully received and discussed with every member of the organization.

Newsletters and regular updates can be disseminated every week, month, or quarter, depending on the scale and activities of the company. A large enterprise should, in my opinion, have weekly newsletters and updates. Even if newsletters and updates are disseminated every month, it is still advantageous to organize weekly meetings as they enhance interactivity and communication on the work floor.

Recognizing Excellence

Recognizing excellence is a great way to inspire and motivate people, which, in turn, will lead to increased security awareness and safety practices. Just like a professional military unit, a business needs to have motivated, creative, and inspirational people in order to optimize its potential. Recognizing excellence, good performances, and even initiatives employees undertake after work hours help employees feel valued and respected by their employers. If people feel respected and valued, they become more motivated, which, in turn, leads to better performances and operational continuity.

It is important for a company to create a certain connection with its employees. Increase the unity and cohesion in the company, and employees will walk that extra mile for you. When it comes to security awareness and compliance with safety practices, motivation is a much underrated component. If a person doesn’t feel valued, he will care much less about the company. This will lower his motivation, productivity, and focus and he will inevitably start making more errors. These errors can result in accidents, loss events, disruption of operational continuity, or a compromise of sensitive data and intelligence.

Like I said earlier, a chain is as strong as its weakest link.

By recognizing and applauding employees, you will increase the chances of keeping them motivated and focused and inspire them to be more creative and deliver even better performances. If everyone is inspired to give their best, you’ll reduce the chances of accidents and loss events and strengthen the chain.

Employee Resilience against External Intelligence Activities

Counterintelligence revolves around the protection of assets and valuable intelligence. For corporate environments, this means much more than merely protecting their operating systems against hacking tools and malicious software. Proper counterintelligence includes every asset, whether tangible or intangible, that can be damaged, corrupted, manipulated, sabotaged, or stolen by hostile third parties. This includes every member of an organization as well. There’s a new trend that’s fast developing in the modus operandi of hackers, criminals, competitors, and terrorists and that is the manipulation, coercion, sabotage, or corruption of employees and their operating systems. Table 5.1 illustrates how employees can be affected by cyber threats.

Table 5.1 Cyberattacks statistics

Cyberthreats statistics	Data
Employees who click on or open unidentified links	78%
Companies victimized by cyberattacks in 2016	32%
IT personnel who circumvented their own policies	45%
Employees who steal company data as a result of a grudge	59%
Estimated global cybercrime costs in 2019	$2 trillion

Source: Tektonika Magazine. https://www.tektonikamag.uk/index.php/2017/06/22/35-cyber-security-statistics-every-cio-know-2017/

A company can have the most expensive and advanced protection software or security systems on the market, but if its employees are vulnerable, so is it. Criminals, hackers, and even terrorists know this all too well and will target either the employees themselves or their operating systems through their personal e-mail accounts, professional online environments, social media, or mobile phones. By targeting employees themselves, hostile parties can manipulate, sabotage, or coerce the employee to provide them, knowingly or unknowingly, with sensitive data and intelligence.

These methods are among the hardest to detect by corporate environments as they often continue after work hours and become a problem in someone’s personal life as well. In most cases, hostile third parties select an employee who they know possesses or has access to valuable data, records, documents, and intelligence. This is not always a high-ranking member of the board. Remember, the objective is to collect valuable intelligence and not make newspaper headlines. Often times, the system administrator has direct access to much more valuable intelligence and data than the CEO does.

Another more common strategy that hostile parties employ is targeting and corrupting operating systems that are under the control of general users, who most of the time are just regular employees on the work floor. The most common ways in which hostile parties attempt this is through social engineering, phishing, and the installation of malicious content or software such as worms, viruses, Trojans, and backdoors. If the employee is not careful enough, the damage can be done by just a couple of clicks on the keyboard. For example, an employee receives an e-mail that appears to have come from the company itself. In the e-mail there is a link to be opened to view the full content. The employee opens the link, and before she knows it, her operating system is overrun by a host of malicious content and a huge amount of data is lost or compromised. I’ve seen the work of top-tier hackers myself, and trust me, you won’t believe what they can do to your operating system and the entire infrastructure of a company network once they’re in.

Another tactic that is a bit older but still being applied to this very day is the so-called over the shoulder strategy. In this strategy, intelligence is collected by spying or peeking into another employee’s information, documents, and even operating systems. A variation of this strategy involves the search of another person’s garbage or waste in order to find a certain amount of information. Often times, these acts are committed by visitors to a company facility, clients, contractors, members of the cleaning staff who are at the facility late at night, and even co-workers.

As you can see, employee resilience against intelligence activities has to be a huge point of interest for every corporate establishment that is serious about the protection and confidentiality of its data and intelligence.

There are various methods that are perfect for corporate establishments to apply in order to make their employees more resilient against hostile intelligence activities. A proper firewall and security software can, of course, be a good addition to the security effort, and I surely recommend such measures to be in place. However, as I’ve just illustrated, it’s not enough to properly safeguard intelligence.

Counterintelligence, and security in general, has to optimize the human element in order to reach its full potential. See the human element as the most fundamental and the security systems as the addition. If more corporate businesses started to perceive security in this manner, their efforts would be much more efficient. When training employees to be more resilient against hostile intelligence activities, awareness is key. Proper security awareness among your employees will go a long way against these threats. Apart from that there are various methods that you can integrate as an addition to help your work environment be more secured against these threats.

One of the most drastic is a policy that forbids employees from using their own personal operating systems while on company territory. This means not being allowed to use a personal phone, laptop, tablet, or computer. Some variations of this policy also forbid the physical presence of such personal operating systems on company territory.

In such cases the company most likely offers its own operating systems to the employees so that they can still make use of the relevant functions but under better safety conditions and protection. Perhaps one of the more well-known policies is the clean desk policy, described earlier. It works especially well against the over the shoulder strategy. A more drastic policy that I’ve often advised to my clients is the integration of so-called closing checks. These checks are performed by security when employees leave the company facility and include the search of their clothing, bags, and other belongings to make sure they don’t take company materials, documents, or data outside the company facility.

Apart from these policies, training days, seminars, newsletters, meetings, and updates can be integrated to make employees more aware of the intelligence activities that might be geared against them and teach them valuable skills in order to prevent, deter, and detect them.

A corporate establishment can also integrate a certain network of communication such as a helpline that employees can turn to if they themselves or their operating systems have been targeted by hostile parties. This method will help in detecting the intelligence activity early on and provide the company with more time and space to properly react before a dramatic loss event can occur.

It also provides the employees with someone or something to turn to if they’re feeling anxious or desperate because they’ve been targeted. Sometimes, employees sound the alarm too late because they feel overwhelmed by the experience or because they don’t know where to turn to. Increasing the knowledge regarding operating systems and their vulnerabilities can be of value in this regard. After all, employees with a better understanding of the various functions of an operating system will be more aware of the dangers that go along with them and will probably take the necessary precautions. These are just some methods corporate companies can integrate in order to deal with the growing intelligence threat posed by hostile parties. In the future, these threats will only become more sophisticated and diverse, which makes the continuous adaptation and improvement of policies, operating procedures, and communication networks all the more important for the corporate environments of today and tomorrow.

Conclusion

By now you know that security awareness is a fundamental component of a proper counterintelligence and security model. People can be the greatest threat to a business as well as its most valuable asset. By making employees more aware of proper policies, safety practices, and operating procedures, you dramatically reduce the chances of accidents, loss events, and the disruption of operational continuity. Invest in your employees through training days, seminars, and meetings to enable them to remain up-to-date with the latest trends, practices, and threats.

Communication is vital and should first be optimized before any other measures are taken. Make sure communication networks run through every layer of the organization and back again and are able to disseminate valuable intelligence as fast as possible.

Employee resilience against hostile intelligence activities is one of the most neglected and overlooked components of modern security models.

Help your company and its employees to be more resilient against intelligence activities by integrating the right policies and turning employees into much harder targets. Remember, a chain is only as strong as its weakest link. Pay attention to employees and members of your organization by recognizing their efforts and accomplishments and by providing them with inspiration and motivation so that they will be more inclined to give their best to help safeguard their work environment. Products and services can provide a business with wealth, but people give the business its identity.