This article was written by Bill Walker, Technical Director at QA.
Nothing is infallible – but when it comes to cyber security, it is fast becoming people, not computers, that are the weakest link. There are plenty of horror stories circulating the internet about identity thefts, nations waging cyber warfare against each other, malicious coercion at the hands of fake authority figures and even Nigerian funds waiting to be transferred to the lucky recipient’s bank account.
All of these have a common theme; it’s not the technology that lets us down, it’s ourselves.
A recent survey carried out by YouGov for QA, reveals that over a quarter of those surveyed admitted to transferring work files to and from home – even though it is against many HR policies. And what’s more, half of those said they have had a virus at some point on their machines. It is clear that the blur between an employee’s work and home life may be starting to affect the security of important corporate data.
However, cyber criminals are getting more creative with their tactics via an emerging threat called ‘social engineering’ and it is fast becoming the role of the HR department to help manage this with policies and induction programmes which focus on keeping an organisation secure.
Social engineering targets the company through the individual
‘Social engineering’ – the term given to scammers who use specific personal information in order to extract more sensitive or confidential material – is ever more prevalent. Some attacks are so well-executed that even tech-savvy and senior people can be duped into giving away vital details. I know of a CEO of a large business who liked expensive cars and made no secret of it. When a glossy brochure, addressed to his home, came through the letterbox with pictures of lovely looking new Jaguars in it, he did not hesitate to pick it up. Flicking through, he found inside an innocuous looking CD with concept cars pictured on the front, and his interest was piqued. After putting it into his computer he was still unaware that because he used the same password at home as he did at work, an enormous amount of damage would be done. And it was.
Security is a major problem for businesses and governments alike. Today, serious and organised cyber crime is a far cry from a lone hacker sending out anonymous malware from their bedroom. Nortel, the much maligned multinational communications firm, inadvertently leaked information for ten years before the extent of the breach was fully understood. According to reports, documents including emails, technical papers, research, development reports and business plans were all hacked from foreign IP addresses; malware was left on infected machines even after the company had been broken up and sold to others, meaning the threat was passed on.
But the world has moved on. Today the cost is enormous and growing. Cyber crime costs UK businesses an estimated £21bn a year.
Is your organisation safe?
Most companies do have an IT security policy and are concerned enough to implement it. However, how closely aligned is this with the human resources department? Eighty-six percent of people who said that their organisation did have a policy, felt that they worked in a secure way. Yet this survey revealed that, despite the policy, people were almost as likely to share passwords with other people as those who had no security policy at all. That is to say, they trusted their employer to have a copy of the password.
As for those people in places that have no security policy, one in ten said that they had no password on any device at all. It seems simple, but what’s the point of having upper case, lower case, numbers and characters in the most secure line of code possible, when you’ve instructed Explorer to remember it for you?
The combined role of the IT and HR departments
All IT security policies should make sure that only the right people have the right level of access. In a complex system, files should only be seen or edited by those that have the authority to do so. The risk is too high to allow everyone blanket access: one in 20 office workers have taken company information/data with them when they have left an organisation and joined a new one. Minimising this risk should be high on the top of the IT team’s agenda and it is the role of the HR department to ensure that there are procedures in place to educate staff of the risks and measures that need to be taken to keep the organisation safe.
First steps to ensuring that HR is aligned with IT:
1. Review and update existing policies and guidelines – Establish basic security policies that all staff sign up to in conjunction with IT. For instance, suggest making a ‘strong’ password essential and having Internet use guidelines for all staff
2. Develop a BYOD policy – Staff are bringing their own devices into work and connecting them to the network – and connecting to the network via home devices. Does your organisation have a Bring your own Device (BYOD) policy? If so, how does it address security and is it enough?
3. Training – Train employees on the risks and in security principles. If they don’t understand how criminals are working and how they can be targeted, they can’t be on the lookout for them
4. Employee access – don’t allow any one employee access to all data systems and ensure that installing unauthorised software on a company network or device is seen as a disciplinary issue
5. Penalties – Ensure that the penalties for breach of policies and guidelines are clear and are enforced
The UK government recommends 10 steps to cyber-security, backed by the Centre for the Protection of National Infrastructure (CPNI), the Cabinet Office and GCHQ. The advice is based around organisations implementing an information risk management regime, with other policies relating to security, protection, monitoring and education.
Either way, the message is clear. A fully rounded and complete approach must be taken to prevent damage being done. The talent within a business is the problem, and should be responsible for the security of the technology rather than relying on the IT to do it for them.
2 Responses
Of course, I can’t comment on your personal experience,
… although I do agree with you about not seeing many malicious employees. In our experience, 99% of staff have no malicious intent. It is the cyber criminal taking advantage of innocent intensions and tricking them into clicking on a malicious link or inadvertently giving away private corporate information. When a socially engineered attack takes place, even the most tech-savvy can be completely oblivious to the fact that they have been tricked. The attackers are just very good at what they do.
In a dreamworld, sorry
… but this is where IT insulates themsleves from the business. Recent experience of a locked-down environment (eg no downloads from Outlook WebAccess (and Citrix etc) but requiring mobility for retail showed the platform was inadequate. No concessions offered by security, so only one solution – SendTo either a hotmail or a stick. Go figure. I don’t see malicious employees as often as I do bombastic geeks leaving themselves open to an oops.