“You don’t have to worry just about technology… You have to worry about your people, because people will break things, and people can fix them.”
—Information Security Is All About Operational Risk, by Michael Hill
Your business has become more and more dependent on automation, and you store much of your proprietary and business data in its native and vulnerable state. Yes, your IT folks stand guard at your firewall; you have all the latest and greatest virus and malware detection, but what about the threat of social engineering breaches?
Social engineering is the hacker’s easy way around IT security safeguards, and it piggybacks on people. It’s like a bank that has a 2-ton door, which couldn’t be forcibly accessed with a 16-inch artillery shell, but a bank employee can open it with a simple numerical combination. Say the employee jots the combination down in an address book and loses it. The combination becomes mightier than the howitzer shell.
Hackers are tricky and rely on trust
Hackers also rely on social engineering through stealth and subterfuge. They rely on people’s natural inclination to trust, rather than on high-tech hacks to gain unauthorized access. They manipulate people with techniques like impersonating.
One popular annual conference among global hackers is DefCon. Neeraj ,Sahni in one online piece, describes a simulated attack on Fortune 500 companies in real time. Calling from soundproof boxes, the demo team posed as internal auditors. They built trust with the employees on the phone and got them to answer questions about their network and other details, including their computer type, operating system, antivirus and browser software and the type of remote access the company uses.
The 85 percent factor
And here’s the really scary part: According to Forrester Research, “the majority of security breaches involve internal employees, with some estimates as high as 85 percent.” You’re spending time and money on protecting your infrastructure, but you could be getting only a 15 percent return in terms of safety.
Here are five main sources of information security breaches, which are at the root of that astounding statistic:
1. Phishing and e-mail fraud, which targets a specific organization so as to gain unauthorized access to confidential data. These attacks are becoming increasingly sophisticated and can dupe unwitting employees into giving up passwords and confidential data.
2. Mobile computing, including laptops, the pervasive smartphones and other portable devices, which could allow users to bypass perimeter defenses such as firewalls.
3. Disgruntled former employees or unintentional access to areas where the average employee should not tread. Never underestimate the anger of a downsized or tech-savvy employee. Also, do you really want every employee to see your HR and payroll data?
4. Overworked IT managers and administrators who fail to ensure that they have the latest software patches and updates to plug ever-emerging security holes.
5. Lack of strict usage policies to prohibit employees from sending sensitive information by insecure email. If you haven’t written them out, your people are vulnerable.
Yes, you have to stay on top of the external threat vectors, but always remember the analogy of the 2-ton bank vault and the stolen safe combination. Pay attention to your people and think about the startling 85 percent of data breaches that people — not servers — account for. You need a written cybersecurity plan in plain English, in language that everyone can understand. If you write it, they will comply.
Where to go for help
Looking for some good advice and guidance on writing an information security plan? Homeland Security has published a Small Biz Cyber Planner, which should be required reading for all managers.