For C-level executives, the big wide world of anonymous hackers and the jungle of viruses and malicious software out there may seem like the biggest threat to their organisation’s data security.
But often the challenges originate a lot closer to home – inside the corporate perimeter.
While those in the boardroom have been focused primarily on keeping the wolf from their door, lack of awareness amongst employees and simple human error is leaving many organisations needlessly exposed to exploitation. Rather than exploiting vulnerabilities in hardware or software, particular types of attacks focus on taking advantage of and exploiting vulnerabilities in people.
Last year was definitely the year of the employee compromise, and the rise of consumerism, BYOD and ‘shadow IT’ has exacerbated the problem, as levels of security awareness amongst employees have not necessarily kept pace with the empowerment they suddenly have over the IT infrastructure. Alarming recent figures from Gartner indicate that 85% of ‘hacks’ actually appeared to be a result of accidental disclosures, and ‘social engineering’ (the psychological manipulation of people into divulging sensitive corporate information) is emerging as one of the most common ways that hackers use employee vulnerabilities to compromise organisations.
As Lasse Andresen, CTO at identity relationship management (IRM) company ForgeRock, explains, ‘These look identical to a company or brand email and are almost impossible to identify as being a criminal ploy. The fact that these attacks are so small means they are not easily detected by traditional spam filters and reach the target victim’s inbox without a hitch.’
In the past year, we have seen a number of high-profile companies fall for attacks exactly like these. In August 2013, major news outlets including The Washington Post, CNN and Time websites were taken down by Syrian pro-Assad hackers using a spoof email to dupe employees into handing over passwords. And in a separate incident, an Associated Press journalist’s Twitter account was compromised through a similar phishing attack. Stock markets plunged, instantly erasing $136.5 billion of value from the S&P 500 index, when the attackers spread bogus tweets reporting an explosion at the White House.
>See also: The 2014 cyber security roadmap
Education, education, education
When attacks like these happen, they can be disastrous – not to mention embarrassing – for the company that was conned into giving away the keys to their own castle. But who is really to blame, and what can companies do to protect themselves from the weak links within their own boundaries?
The 2013 Ponemon Cost of Cyber Crime study showed cost savings of £182,706 from substantial training and awareness activities, indicating that a large proportion of an IT security budget should be allocated to employee education.
But some would contend that employee education regarding security issues is simply a band-aid for the inadequacies of the underlying infrastructure, and although education is useful it should definitely not be a budgetary priority for an IT department.
‘Users should not have to concern themselves with the underlying infrastructure, just as they don’t with phone systems,’ argues ForgeRock’s Andresen. ‘It is our job to keep the users safe, rather than telling them not to hurt themselves and then blaming them when they do. Plus, with cybercriminals expanding their skill set, many are now experts at social engineering attacks that can ensnare even the smartest of users. All it takes is one person to fall into a trap to compromise an entire business.’
Staying ahead of the criminals
Many vendors would argue that instead of focusing on the employees, organisations should be investing in the latest adaptive authentication technologies to beat the criminals at their own game.
IT leaders could be forgiven for taking the budgetary advice of vendors with a very large pinch of salt, however.
As Simon Mason, head of security EMEA at Verizon Enterprise Solutions, stresses, time doesn’t stand still, and neither does technology: ‘Just as new security techniques are implemented, cybercriminals are trying to break them. It would be complacent for any organisation to think that technology alone will combat this and that employee education isn’t required.’
For all the latest and greatest solutions out there, the underlying problem lies in simply stopping employees from doing what they are not supposed to do. When it comes to social engineering, it seems that technology can only go so far in protecting people.
‘Sensitivity of information can be subjective, and it is difficult for enterprise security products to know when to prevent or allow the sharing of information,’ says HP Enterprise Security Products VP and general manager Tony Caine. ‘Moreover, enterprise technology cannot monitor what employees do in their personal time on their personal computers.’
Caine strongly recommends that enterprises take direct action to limit users’ privileges, to ensure that they are unable to introduce unknown binaries to a network. Making use of reputation services that will allow
the vetting of potentially malicious traffic is one element of this, but the strongest weapon in any company’s security arsenal is an ongoing education programme for employees.
According to figures from the Trustwave 2014 Security Pressures Report, 65% of IT professionals said they felt pressured to select security technologies with all the latest features, despite the fact that 35% did not have the resources to manage all of those features effectively.
Commenting on the figures, Trustwave systems engineering manager Oliver Pinson-Roxburgh says he often talks to businesses that have purchased new technologies with ‘all the bells and whistles’, but they do not have enough manpower and skills in-house to effectively install and manage them.
Many more experts, such as global IT governance association ISACA, are similarly sceptical of the claims of vendors to be able to offer a ‘magic bullet’ for social engineering attacks.
The biggest mistake, says Ramsés Gallego, ISACA’s international vice-president, is to approach from a technical perspective: ‘This is not about technology but about behaviour.’
Gallego and others are adamant in the belief that security is an attitude and a state of mind, and as such the problem requires a cultural shift. He is a proponent of the ‘bring your own self’ (BYOS) discipline within the corporate perimeter.
‘We are entering the corporate barrier every single day with our beliefs, attitudes and concepts, making the risk perception very subjective,’ he says. ‘The latest advances in technology cannot only be detective and preventative but also corrective. At the end of the day, the human factor always has to be considered, and this is why we have to understand culture, ethics, morals, behaviour, capabilities and skills.’
At the most basic level, this begins with the HR department, which should recruit with these topics in mind. ‘Technology is one of the ways to go, but let’s not forget the triad of people-process technology, where people come first for a reason,’ says Gallego.
On the back of this philosophy, ISACA developed BMIS (Business Model for Information Security), embedded within the COBIT 5 business framework for the governance of data – one of the first frameworks of its kind to consider the human dimension.
Approaches like this are based on the concept of enterprises taking steps to ‘harden’ employees as part of the possible attack surface, in much the same way as they would hardware or software.
Mum’s the word
As the old saying goes, ‘repetition is the mother of skill’, and many believe that the best way to educate employees is through establishing a rigorous set of guidelines and seminars to help employees understand the risks as often as possible.
But a truly comprehensive security education programme should arguably encompass more than just employees and those directly responsible for security. Companies should also look at measures that extend beyond their own four walls, and take into account the security of their partners and suppliers. In a recent incident, US company Target was affected by a weak link within its supply chain, which hackers used to inflict a malware threat upon the company.
‘This example demonstrated perfectly the fact that vulnerabilities in the security of your supply chain ultimately equate to your own vulnerabilities, so companies should take this into account in their security planning,’ explains Alex Raistrick, regional vice president for Western Europe at Palo Alto.
>See also: 8 cyber security predictions for 2014
And looking at the enterprise ecosystem as a whole, vendors could play a role in the education process and the sharing of information instead of simply touting yet more miracle products.
Vendors play two roles in this area, advises Raistrick. The first is making products easy to use, de-cluttering technology and making it understandable and transparent for the user. ‘The second is providing guidance and best practices – insights on how to maximise the investment in technology, how to prevent bad things from happening, and why developers designed one feature to avoid the next digital Pearl Harbor.’
Vendors can play their part not just by holding seminars or lectures, but at a more fundamental level by ensuring that they are sharing the knowledge they have for the wider good, and encouraging this information to be passed on and shared. This could include being involved in educating IT departments about best practices in building a ‘zero trust’ security platform, so that organisations are encouraged to use all the defences available to them.
‘It’s important to help organisations think more broadly than just the basics when it comes to security, and this can only really be achieved by being open and transparent about the threats that exist,’ concludes Mason.
Ultimately, vendors stand to gain more credibility by doing this, especially if they are discussing threats and issues that go beyond just the areas that their solutions are equipped to tackle.