Security is a fast paced industry. You only need to use the Internet for a short time to understand how and why the activities of digital criminals pose a real and significant threat to consumers and enterprises alike. The threat is real, persistent and constantly evolving.
How can a company best protect itself? Most organizations will have invested heavily in a broad array of security technologies. However, when a security breach happens it’s most often down to basic human error. That is why hackers spend their time devising new ways to trick employees into giving away even the tiniest nugget of information that could get them access to the organizations infrastructure (it’s called phishing for a reason).
What might appear at face value to be a fairly insignificant piece of information, to a hacker could be the keys to the network and Christmas come early. The findings from the abundance of firms implementing social engineering tests to see what data employees will give away is proof that employees don’t understand the contribution they make to “protecting the realm.’
Reports of hacks are becoming so commonplace that in many ways it is hard to know if their impact and probable causes, for example poor password management, are really resonating with employees. Despite many people receiving notifications from the likes of Tesco, eBay, Kickstarter et al urging them to strengthen their passwords in the face of recent attacks, still if you walk around a typical enterprise, people will have a yellow post it note stuck somewhere on their desk with their log on details to what should be a secure network.
It’s not hard to see in scenarios such as these why people are considered to be the weakest link. Yet if this is the case, why is so little time spent proactively training them in IT security? All too often than not it is done once and, box ticked, forgotten about but such an approach does little to guarantee a company’s security given how rapidly hackers evolve their methods of attack. To ensure that employee knowledge is current and relevant, training should be at least twice a year. Whilst that is obviously a big outlay both in terms of time, resource and money, when we’re staring at a global economic bill that mounts to hundreds of billions, surely it is an investment worth making?
Bringing home the real risk and associated implications is key to a successful IT security training programme. You don’t want to scare people witless, but there is a real need to give them a reality check, especially as mobility increasingly changes the face of the enterprise and less devices are tied directly to the network. This network without boundaries makes security training vital regardless of whether you are the CEO or “on the shop floor.’
Hackers don’t discriminate, so neither should you. That doesn’t mean that training should be en masse as it also needs to be relevant, otherwise people will tune out. It is simply human nature. Just as important as relevancy is ensuring that training is appropriate at that point in time.
All too often training is a reactive process and happens once an incident has already happened, which is too late. Enterprises need to take the time to understand the threats to their market place, where vulnerabilities lie (e.g. is it more likely that a company will lose data via a lost device or a online database hack?) and how employees could potentially compromise their security in different situations. In short, IT security training needs to be built from the ground up around your business and your business model. Generic “don’t do this and don’t do that’ that doesn’t take into place both the external and internal factors that impact your company won’t yield results or create a more secure environment.
Look inside and out
External attacks dominate the news and they can also influence an organisation’s view on where investment in security needs to be made. However an often over looked blind spot is how security can be compromised through good intentions. I used to work in a call centre environment and a lot people often phoned up and couldn’t remember their password. All it would take is for staff to be spun a story, feel sympathetic and they’d give the caller a clue. One small clue is often all a hacker needs and once they have access to the network they can start acquiring the access details needed to take them further up the chain of command and hit the jackpot.
The psychology behind how hackers target people and entice details out of them is absolutely fascinating. It would be easy to think that you might just be targeted whilst at work but this isn’t the case. Facebook, Twitter and other sites are all considered fair game and likely to be more fruitful because people will be more relaxed. What can seem perfectly innocent might in actual fact be more sinister. But if you don’t know the scams that hackers user, you won’t know how to validate and authenticate the communication.
It can feel like hackers are constantly one step ahead, always devising new ways to break down an enterprises protective barrier. Technology alone can’t keep the bad guys out. Effective security takes into account people, process and technology. Make sure you invest in the former as well as the latter.