Being a telecom engineer by profession, most of my time is spent in technical areas where most of the people are usually of the opinion that network security is the responsibility of the security team (Security Operations Center) and the security auditors only. A network engineer is more focused on keeping access to devices simple and generic for logging into devices with ease so that his or her job responsibilities are not hampered by security-related issues.
Shouldn’t we be active in our domain only?
Like many people, I used to think that audit was the sole responsibility of an auditor because that is their job description and this is what they are paid for, and the same would apply for security professionals. And it seems quite logical. However, as time passes and I got experience in different organizations and went through many ups and downs, one thing became crystal clear for me: No one can be made fully responsible for anything because once an incident occurs, everyone is affected.
Proactiveness can help everyone
Assume that your company became target of a ransomware attack and you are affected. Saying that this was not my fault/responsibility will not help anyone – you cannot contact the ransomware perpetrators and tell them that you are a very responsible person and your system should be unlocked, as it was not your fault. However, if you had been proactive and helped your audit and security teams at an earlier stage, your company may have avoided the incident altogether.
Why we should poke our nose in another person’s domain
Avoiding what we consider overreach is a natural inclination – maybe I am poking my nose in someone else’s domain by sending them something that is of no exact value. This is something that crosses most of our minds, and instead of sharing information with the right person, we tend to just let it go. For example, if someone detects an email that seems to be a phishing scam, instead to notifying the security team, the employee might just delete it on the spot, assuming that the security team will either know about it anyway or must be doing something more important. But this small negligence may lead to a major problem later if the attack proves successful elsewhere in the company.
If you see ransomware stats on Google or other online resource, you will be astonished to see that the highest ransomware paid is around 10 million euros – quite a large amount of money (see below list of top ransomware cases from 2017):
Below is a table where you can see the active vulnerabilities as of April 2021. CVEs (Common Vulnerabilities and Exposures) are being recorded and updated on the website, which can be consulted and investigated.
Source: http://www.cvedetails.com/
The table should give you an idea that currently more than 16,000 vulnerabilities of the highest score are active on a given day, while the gross total of active vulnerabilities exceeds 100,000. Now you should start feeling the responsibility that must be shown by everyone – understanding how a team (even if you have a big security team) of individuals can protect your organization.
Why you must act
Going through these tables will build your confidence that it is better to be safe than sorry. The security team in your organization has a job to deal with the concerns raised by people like you – you are not increasing their tasks but helping them by providing them any first-hand information you might have.
This blog post is intended to make practitioners think of how to respond to incidents and possible vulnerabilities around you, if you were still assuming that because you are not part of the security team of your organization, then security is not your responsibility.
Your security department may have a team bigger than yours but the task in hand for them is challenging as they attempt to safeguard devices in use from all the people around the organization, especially in this era of remote work. Also, the vulnerabilities have a lot of variables, such as device, OS version, browser version, plug-ins and antivirus software installed, etc., so there are many ways for vulnerabilities to strike.
The responsibility should be shared by everyone because if an incident occurs, it will not differentiate between who was and who was not responsible.
Abdul Aziz Khan is a freelance blogger and consultant, a veteran Telecom Professional and a volunteer of ISACA.
In addition to having more than two decades of diverse Telecom Experience in Network Planning, Project Management, Operations and Optimization, he has been quite instrumental in Network Audits and Customer Experience Management as well. He can be contacted via khan.abdulaziz@gmail.com