How do you secure your data? Most would reply that their company has a firewall and antivirus system in place to combat a wide range of threats. This is normally the response by non IT staff, IT managers and occasionally by some IT security specialists.
Personally I would be stupid to argue against protecting your company from cyber threats. The reality is, these attacks – trojans, worms, viruses, DoS (denial of service) and hackers – are a big threat. But they are by no means the only security threats facing companies, which is why it’s so important for business to think outside of the box.
There are other major threats that receive less publicity – mainly because the media have an obsession with “evil” hackers and love to print “sexy” stories about companies being hacked into by criminal gangs or state sponsored groups.
Let’s get physical
Instead think physical: That is, physical devices being used to steal data – or more frequently kit being left on trains, even being stolen from employee’s homes.
Many companies spend thousands or even tens of thousands (though many more don’t) on high tech security such as: retina scanners, biometrics, firewalls, antivirus scanners, 12 foot fences and multi-factor authentication, but fail where it matters most; human error and physical assets.
Paradoxically advanced security software can often lead to a lax attitude towards security among staff, but as the old maxim goes, “security is only as strong as its weakest link.” High tech security can only go so far and the problem is you cannot buy a firewall and antivirus system for human being.
Research from my company found that 64% of UK workers have received no training on IT security issues, including prevention of malware and loss of sensitive data.
Perhaps more worrying is new research that shows that one third of all SME closures are due to human error. There is no point of spending tens of thousands or even more and forgetting the most important part staff training.
Intrusions and data leaks often have a human element to them. A member of staff might send credit card details by email, which end up being hacked into or intercepted. Or a member of staff might open a dodgy email which installs a trojan horse into a network, thus bypassing high tech securing and opening an illegal tunnel into the network.
USB pen drives, as well as USB hard drives, and optical media such as CDs and DVDs, though CDs and DVD’s are slowly going out of fashion for data transfer. A firewall offers some protection from remote hackers trying to pinch data from inside a network. But what about data which is moving around electronically or physically? Once data has left your four walls it is vulnerable, hard to stop and hard to monitor unless you have a system in place.
Many companies within the UK have no device control around removable media or they might simply have a policy stating no USB devices allowed. It is very well having such a policy but as we know “rules are mean to be broken”. USB devices have three problems: data loss, data exposure and malware spreading. Malware a few years ago was the biggest and most talked about threat but these days it’s really data exposure.
You wouldn’t or shouldn’t leave highly confidential client financial documents lying around on your office desk, at home or leave them next to you on a train carriage. A USB pen drive is really the same but since its digital people do not think about it as much.
You have USBs?
An open USB policy is a very bad idea since thousands of USB drives are misplaced yearly. Three options exist for USB control. You can introduce a policy stating they are banned or port blocking software. Another option is to supply every staff member with a secure USB drive.
Alternatively you can invest in automated software to encrypt and audit data written to USB devices. If you are a large company then option three might be a good idea since it locks down data written to USB devices as well as CDs and DVDs.
Laptops are another common source of data leakage. Recently the public sector, mainly councils and NHS have been fined for lost laptops. The common myth is, the Windows login prompt offers sufficient protection but it is no match for a skilled IT professional and can be broken into in minutes. Now the Information Commissioner’s Office (ICO) recommends all laptops have full disc encryption installed as well as on removable media.
Finally one of the most dangerous attacks is social engineering. People are brought up to be friendly and helpful and these are traits that can easily be exploited. Social engineering (social as in social skills and engineering as in to engineer an attack) comes in three forms: on the phone, in person or by email.
Do your staff identify people by phone or in person? The reality is, probably not. Don a Fedex uniform, carry paperwork, a parcel and turn up at an office; nine times out of 10 no one would question the individual. The reason being, they fit the picture.
Another example is someone posing as a manager on the phone. “Hello, I was wondering if you could help me. I am working on an urgent project for a shareholder meeting tomorrow and I need a document urgently. It’s for my boss, John, the MD”. Due to urgency, fear and seniority it is likely the staff member would hand over the document or password. Training is the only solution to combat social engineering attacks.