Understandably, many companies are kept busy prohibiting unauthorised access to their systems. Companies isolate themselves behind high-tech hardware and software, firewalls, secure encrypted connections, algorithms, PKI keys and a host of other technological security measures which together provide the necessary IT security to make the company appear totally impregnable … but do they remember to educate users why they use these security systems? You have to remember that IT security is a dynamic entity in a constant state of flux. So you cannot expect a static impediment to permanently solve a company’s IT security problems, when one of the main areas of risk, the human factor, has not been properly addressed.
One man’s rubbish – another man’s gold!
The concept of Social Engineering is certainly nothing new – many of us have heard of “the art of intrigue”. It is an extremely effective “tool” to possess – namely, the ability to use your opponent’s information against himself. Modern-day hackers use Social Engineering to gain unauthorised access to other people’s networks, thereby gaining full control of their computers.
Despite the great lengths that many companies go to protect themselves, it is actually quite alarming to see what they leave behind in the way of “tracks” that can easily be traced by a potential hacker. One thing a hacker needs to gain access into a company is information. It is this that can put him in a position of trust within the company so that he can gradually work his way towards its very core. One-off pieces of information that are not immediately recognised as confidential of classified can actually be the first key a hacker needs to gain access to a company.
Just think of all those personal memos, telephone numbers, jotted-down passwords, accounts, database printouts, and little Post-It notes, etc. We are now at a stage where even the most refined technology must concede defeat, because now it is impossible to predict how an individual will act in a given set of circumstances. A possible solution to the specific problem of notes and papers etc. could be “educating” employees to shred all paper rubbish that could potentially find its way out of the company. But who thinks of a shredder when it comes to IT security? That is precisely why companies need to use training, communication, IT strategies and particularly policies to ensure that their employees understand the importance of IT security. Everyone immediately thinks of giant servers, firewalls and anti-virus programs when they hear the term “IT security” because this is the tangible evidence to which people most often relate.
Are we looking in the wrong place?
If we blindly assume that all hacker attacks and threats will come from the outside then it is time to wake up and smell the coffee. Even though the latest hardware and software technology has addressed many of the security loopholes, it is more difficult than ever for companies to protect themselves against the human factor. What are the company’s recruitment and dismissal procedures, whom are we letting into the heart of the company and to whom are we giving confidential information, who can and is allowed to do what? All of these questions and many more besides are issues that companies should include in their IT security policy and strategy.
The disgruntled worker who has been fired – what has he managed to destroy or copy from the company’s network in the meantime? Or the employee with the mounting debts who, in a moment of weakness, is tempted to sell company information to a competitor. Or the employee who innocently opens “the funny picture” on the company’s server and unleashes a virus. Some of the figures below stem from Information Security Trends from the Gartner Group. They speak for themselves.
- 90 % of all companies have experienced IT security breaches to a greater or lesser extent.
- 85 % of all companies have been the target of a virus attack.
- 79% have been exposed to abuse perpetrated by employees.
- 71 % have experienced unauthorised access to their networks.
- 66 % have been compromised by their employees’ use of the network.
More and more studies show that the biggest security breaches in companies are committed by the companies own employees. It is often difficult to face up to the truth because this issue centres on mutual trust and confidentiality among the workforce. We must learn to understand that the problem of IT security cannot be solved solely by purchasing a single product – it requires a dynamic and progressive process. If we fail to involve employees – the users – in this process, then they will continue to be the weakest link in every security solution.
So what can we do?
If we think about how uncooperative we feel about having to throw away a newly bought half litre of Coke at airport security, then we can apply the same thinking to our businesses. If we do not understand our own role, situation, function and usefulness in the security chain then we will circumvent the issue on a daily basis. We will automatically become opponents rather than co-players. If someone restricts our ability to surf the internet – without explaining why – then we will simply find an alternative means of getting what we “usually” get – that is human nature.
That is why training must go hand in hand with technical and static security solutions. We need to understand how, when and especially why we have chosen the security solution we have in place. Otherwise, people will always opt for the easiest solution – which more often than not is completely at odds with the company’s security policy or desired level of security.