It is important to establish a foundation of security awareness and education among employees, writes Mike Duncan
The behavior of staff is the greatest security threat that an organization can face. This nugget comes from Cisco’s Annual Security Report, in which 52% of IT professionals, when asked to highlight the most prominent security threat, pointed their fingers squarely at employees.
An organization can have assiduous controls in place such as a patch update program, the most robust firewalls available and active network monitoring, but it can all come to naught if an employee receives a legitimate-looking email with a malicious attachment and clicks on it.
Embarrassing and Damaging
One startling example is the damage done to RSA, ironically a world-leading security vendor. A carefully crafted email purporting to be from an internal source contained a malware-ridden spreadsheet. The malware ensconced itself into the network and ended up providing hackers with the keys to an RSA treasure chest. The end result was a loss of business and trust – both potentially fatal for many organizations.
This was a well-crafted and specifically targeted attack aimed at a small number of employees. But it illustrates perfectly the potential damage arising from phishing emails.
Potentially Devastating
In an organization with hundreds of employees, there will always be one or two motivated by malicious intent. Perhaps they have a grudge against management and as a result seek to do harm. It’s real and it happens.
Attacks motivated by grudges can have devastating consequences. The recent Sony hack in which deeply damaging private emails were spilled into the public domain could have come from an internal source. The clues, such Sony information posted on Pastebin, a favored site for hacktivists and hackers of all shades, certainly adds evidence to this theory.
However, it’s far more common to see businesses exposed as a result of human error, such as systems that are not configured correctly or poor patch management. Lost laptops and mobile devices are also a source of great concern. How many times do we hear of deeply sensitive information being found on a laptop that was left on a bus or a train?
Weekly Sales Figures – For All to See
Then there is the issue of an employee unwittingly sending sensitive information to the wrong email address. Weekly sales figures for a well-known shoe store, commercially sensitive insider information on Manhattan properties and CVs from the London-based human resources department of a well-known international bank: these are some of the things that have inadvertently been sent to the wrong people recently.
Passwords are another area of vulnerability. It’s frightening how far too many people use easy-to-guess passwords. Also concerning is the rise of ‘shadow IT’: staff usage of services and applications outside of the IT department’s control.
“CIOs should look to communicate a clear and easy-to-digest security policy which covers all aspects of security”
Informing and Educating
It is important to establish a foundation of security awareness and education among employees. Education is the crucial aspect here. CIOs should look to communicate a clear and easy-to-digest security policy which covers all aspects of security, from setting strong passwords to understanding BYOD policies.
Some employees may not know how to protect themselves online, which can put the business at risk. It’s therefore very important to help employees learn how to manage passwords and avoid hacking and understand criminal activity like phishing and keylogger scams. In short, a series of recommendations and guidelines should be set out for employees to follow with unrestricted access to the IT department.
This is particularly important when we consider the rise of ‘shadow IT’, which is often merely a reflection of the IT department’s own shortcomings. Employees wouldn’t be using external cloud services like Dropbox if IT met their needs in the first place.
In a world where high-profile data breaches happen far too frequently, and employees often unwittingly (or sometimes deliberately) expose sensitive data, these measures must be put in place. After all, security is not just an IT issue, it’s a business issue and exposure of sensitive data can be deeply damaging. The forward-thinking CIO should therefore start considering every single employee as an extension of the IT security team.
About the Author
As Peer 1 Hosting’s manager of information security, Mike Duncan is responsible for overseeing Peer 1’s entire internal security operation. Looking after the website security of some of the biggest names in retail, Mike has an informed perspective on the biggest threats to an organization in today’s security landscape, and the best ways of addressing them.