“You don’t have to worry just about technology.… You have to worry about your people, because people will break things, and people can fix them.”
—Information Security Is All About Operational Risk, by Michael Hill
Your business has become more and more dependent on automation, and you store much of your proprietary and business data in its native and vulnerable state. Yes, your IT folks stand guard at your firewall; you have all the latest and greatest virus and malware detection, but what about the threat of social engineering breaches?
Social engineering is the hacker’s easy way around IT security safeguards, and it piggybacks on people. It’s like a bank that has a 2-ton door, which couldn’t be forcibly accessed with a 16-inch artillery shell, but a bank employee can open it with a simple numerical combination. Say the employee jots the combination down in an address book and loses it. The combination becomes mightier than the howitzer shell.
Ransomware attacks are increasing
Hackers also rely on social engineering through stealth and subterfuge. Take the recent rash of ransomware attacks. An unwary employee opens an attachment on an authentic-looking e-mail or clicks on a link while surfing during work hours. Suddenly a bogus FBI warning appears to the effect that you have just illegally downloaded secure data. Your system has been locked, and you must pay a “fine” to re-access all your data.
As the employee’s blood drains from his frontal lobe, the malware spreads throughout the system. There is absolutely no way to retrieve the data, because it has been tightly encrypted. In fact, on the advice of the FBI, one hospital on the West Coast paid hackers $17,000 to regain access to all its patient and medical data.
So here’s the thing: Had the aforementioned hospital focused on training its employees not to open strange email … well, you know. Accordingly, when it comes to information security, it’s more about securing your people; they are your gatekeepers.
The 85 percent factor
And here’s the really scary part: According to Forrester Research, “the majority of security breaches involve internal employees, with some estimates as high as 85 percent.” You’re spending time and money on protecting your infrastructure, but you could be getting only a 15 percent return in terms of safety.
Here are five main sources of information security breaches, which are at the root of that astounding statistic:
1. Phishing and e-mail fraud, which targets a specific organization so as to gain unauthorized access to confidential data. These attacks are becoming increasingly sophisticated and can dupe unwitting employees into giving up passwords and confidential data.
2. Mobile computing, including laptops, the pervasive smartphones and other portable devices, which could allow users to bypass perimeter defenses such as firewalls.
3. Disgruntled ex-employees or unintentional access to areas where the average employee should not tread. Never underestimate the anger of a downsized or tech-savvy employee. Also, do you really want every employee to see your HR and payroll data?
4. Overworked IT managers and administrators who fail to ensure that they have the latest software patches and updates to plug ever-emerging security holes.
5. Lack of strict usage policies to prohibit employees from sending sensitive information by insecure email. If you haven’t written them out, your people are vulnerable.
Yes, you have to stay on top of the external threat vectors, but always remember the analogy of the 2-ton bank vault and the stolen safe combination. Pay attention to your people and think about the startling 85 percent of data breaches people — not servers — account for.
Where to go for help
Looking for some good advice and guidance on writing an information security plan? Homeland Security has published a Small Biz Cyber Planner, which should be required reading for all managers.