We talk a lot on this blog about various types of cyber-attacks and the various ways technology can help reduce your risk factor, but there's one uncomfortable fact which can undermine even the best tech-based network security: roughly ninety percent of successful cyber-attacks involve some degree of human error or negligence.
Simply put, no matter how much money you have invested into hardware, it could all go to waste if you aren't also training your staff to be security-smart.
So today, we wanted to run down some of the most common ways of defeating security by exploiting the human element, often called social engineering. You should be looking to train your staff to recognize, avoid, and report these methods of attack - or possibly even looking to bring on consultants to help solidify that training.
"Phishing" refers to emails (or, less frequently, phone calls) that attempt to trick the target into revealing critical pieces of information, such as passwords or credit card numbers. They almost always attempt to represent themselves as some form of authority figure. There's even a variation involving CEO impersonation, where the criminal has gained access to a C-level executive's email and is using it to directly ask for such protected information.
The best solution here is to simply establish protocols for properly and securely transmitting protected information, and never deviating from them. If your staff gets a request that doesn't follow the protocols, report it immediately - even if it seems to come from the CEO personally.
An amazing number of data breaches come via the most old-fashioned method possible: plain old pick-pocketing. If a smartphone has access to your network, or has business data on it, it's vulnerable to physical theft.
The solution is don't let it happen. Never set devices to auto-logon to protected networks without multi-factor authentication. Never store protected info on portable devices. And have security procedures in place for quickly locking out and\or wiping a device should it ever be stolen.
We frankly can't believe how many intrusions are still committed by tricking people into opening compromised files in their email box. Seriously, this should be business security 101: Never ever open a file in your email box unless you are certain you know who sent it. There's just no excuse for an employee to get tricked by this one any more.
Plus, don't forget that online advertisements can also be used as vectors for trojans. So don't click on banner ads either.
It's not something anyone likes to think about, but there's always a chance that someone in your organization is disgruntled, opportunistic, and\or compromised. Some of the biggest data thefts in history have been "inside jobs."
This is another area where having set protocols will help a lot. Define what information each job role is allowed access to, and don't deviate. Encourage employees to report internal requests for information that seem even a little iffy. Better safe than sorry is the watchword here.
Do you want to know how effective your security training is? Want to see whether you've got gullible employees who could be security liabilities? Want to give your security measures a real "live fire" test?
Then have a penetration test conducted. These are professionally-conducted "white hat" hacking attempts, done with your consent, specifically for the sake of testing your security. Any and all methods of intrusion can be used, and the resulting report will show where you need better security.