The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Leigh Honeywell, CEO and Co-founder of Tall Poppy, which builds tools and services to help companies protect their employees from online harassment and mistreat. In this blog, Leigh talks about company strategies for opposing online harassment.
Leigh: Online harassment breaks down into two types. The first is harassment related to your job. One example of this would be that an ex-employee has a conflict with the company and is harassing former colleagues. In other occurrences, it has to do with a policy decision or a moderation decision that the company made, ensuing in people “of the organizations activities” experiencing harassment.
The other type of harassment has nothing to do with somebody’s day job. For instance, an employee had a bad breakup and their ex is bothering them at work. It’s not strictly related to the employee’s day-to-day work, but it’s going to impact their ability to be present at work and participate in work life. Many folks who are dealing with harassment–whether related to work or not–experience lost productivity, attrition, and burnout.
Natalia: How widespread of a problem is online harassment?
Leigh: Online harassment is a significant phenomenon. In 2020, 41 percent of Americans experienced it and 28 percentage experienced the most severe kinds, like threats of violence, stalking, sexual harassment, and persistent harassment, according to the Pew Online Harassment Update1. That’s a huge number of people experiencing these issues. It has attained us prioritize motivating people to improve their security hygiene around personal accounts.
Your employees’ personal accounts are part of the attack surface of the company. Social engineering assaults are when cybercriminals use psychological manipulation on their targets. If someone is being extorted based on their personal life, it has the potential to impact the company. In a classic CEO scam, person breaks into an executive’s personal email report, emails person or persons in accounting posing as the executive, and asks them to send a wire transfer to a bank account controlled by the scammer.
Natalia: What are recent trends in online harassment?
Leigh: According to the most recent Pew study, online harassment ran up. Project Include only published a study2 on the internal company harassment landscape during COVID-1 9, and there has been a sharp uptick in workplace harassment.
Even though the numbers are stable in terms of how many people are experiencing online harassment, before COVID-1 9, if you were dealing with harassment from outside the company in the course of your work, you still got to go home and have that mental separation. When people operate remotely, it’s a different experience, and it feels a lot more personal and vulnerable for those working dealing with this kind of harassment.
Natalia: What should organisations understand about online harassment?
Leigh: It’s clear under US and Canadian law that organizations have a duty to ensure that employees don’t harass each other within the organization. When harassment in the workplace comes from outside the company, such as internet harassment, there isn’t a ton of clarity. I think it’s important to make sure that employees have clear policies and internal recourse.
In a typical harassment scenario, an employee says something controversial on Twitter, and people try to get them fired from their corporation. Sometimes, the things that people say that get them burnt are racist or homophobic or biased in some manner. When people talk about cancel culture, they are typically talking about outcomes. You say something, and you get held to that word.
However, it’s hard to arbitrate. Is the controversial statement fireable, or is it controversial because they are members of an underrepresented group and are being targeted for standing up for themselves? That’s one of the lenses I use to unpack these situations.
Natalia: How can online harassment lead to hacking?
Leigh: After abuse on social channels and unwanted emails, online harassment sometimes get more aggressive. You understand password reset attempts that you have not requested. The next level is credential stuffing, where an attacker secures a person’s email and password combo from old violates and tries the credentials on different reports. Another potential escalation is SIM swapping, which involves the attacker impersonating the victim to a phone company and porting their phone number away to a fresh SIM card. This attack usually targets folks who are high profile and is less common in stalking situations.
Natalia: What does the incident response process look like when an employee is under attack?
Leigh: When dealing with an urgent incident in a workplace, such as somebody hacking into a printer at a branch office, there are known playbooks for responding to different attacks. Likewise, we have different playbooks based on the type of harassment situation an employee is dealing with, for example, harassment by an ex-employee or an employee being targeted due to a company policy decision.
We also pay a lot of attention to the antagonists. We’ll typically make sure the person has safe devices and ensure the adversary does not have access to their personal accounts. We’ll walk them through modifying relevant passwords and checking approved applications. From there, it’s about attaining sure that the person is OK, and that includes constructing sure they are aware of internal resources like an employee assistance program for advise services.
Natalia: What are the best practises a company can institute to mitigate online harassment or assist those impacted by it?
Leigh: First, have clear internal policies and escalation phases around acceptable social media use. There are some industries where it’s understandable that you don’t crave employees having a social media presence, but those are rare these days. In general, it’s not realistic to tell employees not to exist online in public, so what’s important is to construct boundaries, expectancies, and guardrails clear via a written social media policy. Employees want to have long-lived jobs and construct their personal brands–trying to closed that down wholesale will end up with unfair enforcement and isn’t realistic.
The second best practice is to make sure people have tools and resources available to secure their personal lifetimes, whether it’s a hardware security key such as a Yubikey or a quality password manager. All those day-to-day tools are as important in the workplace as they are in people’s personal lives. Online harassment training teaches employees how to keep attackers out of their personal accounts such as email, bank account, and social media. It can be overwhelming trying to understand all the information available about remaining safe online. And there’s an arguing to be made that you shouldn’t have to become an expert on personal cybersecurity to be able to live your life with an internet existence in the modern world.
The third one would be to ensure there are available resources within the organization that are clear and accessible, so it’s understood where the escalation paths are–whether it’s providing training to management and having handling communicate to frontline staff or using internal communications tools to inform employees of resources.
Helping employees improve their personal cybersecurity can help them feel confident that their personal digital infrastructure is secure and helps ensure that online harassment isn’t going to escalate to an incident like an report takeover.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Likewise, follow us at @MSFTSecurity for the most recent developments and updates on cybersecurity.
2Remote work since COVID-1 9 is exacerbating harm: What companies need to know and do, Yang Hong, McKensie Mack, Ellen Pao, Caroline Sinders, Project Include, March 2021.
The post Cybersecurity’s next oppose: How to protect employees from online harassment showed first on Microsoft Security Blog.