Educating employees

Educating employees key to cyber security says Rackspace CSO

Once employees truly realise information security professionals are there to make their jobs simpler they find it easier to use software in a way which keeps the company secure, according to Brian Kelly, chief security officer at Rackspace.

Speaking to Kelly at the Ham Yard Hotel, he said when employees start using systems which are not part of the company “rather than shut it down, we will work with them to make sure they understand the risks associated with them.”

Employees at Rackspace also use outside systems such as GitHub and Slack. Kelly says: “We will put some compensating controls around them to take care of those near term risks and in the case of Slack we are working directly with the company to make sure they are actually encrypting the data which is at risk.

“We are going to tell you what the risks are and we are going to put some controls in place to prevent these from happening. We are going to find a solution so you can continue to use Slack, but in a way that we think is kind of safe. We go out of way not to shut down certain things.”

According to Kelly it is important to find a balance between trusting your employees and putting security controls in place.

He says: “We got an obligation to trust, but verify. We do what many other companies do. We do watch for certain things in outbound mail for instant. We have filters that check mail going out to see if there is anything unusual, maybe a large payload for example, that might indicate that someone is sending large amounts of data out that maybe they should not.

“The best way to do that is to focus on the metadata. There are data elements that a security professional can look at that would indicate anomalous activity without the need to go down into the actual contents.”

However, it is not possible for Rackspace to look into the content of an email unless they think an employee is doing something illegal. Kelly explains if they find employee behaviour that is anomalous they would have to engage their legal team first.

He said: “If we have reason to believe there is a potential issue with a communication and we want to look at the content of the message, we will have an independent legal view that will look at the facts. It is a touchy issue, nobody likes to think that there messages are being looked at.

“It is an uncomfortable topic to monitor your employees, but I think you are negligent if you don’t.”