If you look at all of the high-profile information security incidents over recent years, they have one thing in common – – the breach occurred because of human error. Gone are the days when the attackers brute force their way through the external firewalls and protective systems using advanced “hacking” techniques. It is much easier for the bad guys to just get someone at the victim company to click on a link that contains some malware that exploits a known vulnerability and bang – – they are on the company’s network with control over at least one computer. And, once they have that access, it’s a relatively short, simple walk to having administrative control over many or all of the computers on that network.
One relatively early example of this approach was the “ILOVEYOU” virus that spread through users opening an infected attachment (who wouldn’t want to open a love letter from someone on your contact list that you didn’t know had such strong feelings for you?). The “Anna Kournikova” virus did the same thing a year later. But these “attacks” weren’t targeted or monetized – – their creators weren’t making any money of these security breaches or trying to break into a specific company, they were just committing technology vandalism. But remember the Target breach from late 2013 (40 million credit/debit cards stolen)? That WAS certainly monetized and that whole thing occurred because the attackers got access to the credentials of a HVAC maintenance vendor for Target who, despite PCI DSS requirements to the contrary, also had access to Target’s point-of-sale (POS) network and were able to use that vendor’s credentials to inject malware into the POS systems. How did they get the credentials? Through a malware-laden email that the employee clicked on. So, now the attackers ARE making money from these breaches (and they’ve actually been caught doing so for quite some time now).
It is well known within the information security field that securing the human is much harder than securing the systems. You can put every known technical safeguard in place but if the user clicks “Yes” on that website that “claims” to have an updated Adobe Flash player, the user has just opened the door for the attacker. Educating thet end users is so important, in fact, that every major security law or standard (PCI DSS, HIPAA, MA 201 CMR 17.00, SOX, FISMA) requires that employees be given information security awareness training on a regular basis.
So, what is the responsible business owner to do? Along with putting all of the proper technical controls in place (such as good password management, strong anti-virus and firewall protection, patching and monitoring your systems, etc.), you need to make your employees good corporate technology citizens through Security Awareness training. It answers questions like:
- How can I spot a phishing email?
- How do I securely manage all of the passwords that I have?
- What is Social Engineering and how can I protect myself from it?
- What are the risks to my company and to me personally?
Security Awareness programs also involve ongoing reminders – like posters and handouts – that help staff keep information security as part of their daily routine.
Often, the damage caused by these breaches goes way beyond the hard dollars related to cleaning up the technical mess they leave behind. The negative publicity can be extremely costly, especially if you are a small business that gets caught up in the wake of the breach, when you calculate in the cost of the lost trust of your current and future clients. And so much of this can be avoided if employees are properly informed and regularly reminded about the basic tenants of good information security practices. That bit about employees being reminded is very important – – security awareness is not a “do it once and move on” proposition. People will grow lax and go back to their dangerous habits without proper reminders. And what about those three new employees that came on after you did that one-time security awareness training?
Bottom line – the training costs less than the breach by a long shot. There aren’t any examples of companies that were hurt by having a Security Awareness program but there are hundreds of cases where they were hurt by NOT having one.
Interested in training at your company or have any other security or general IT related questions? Contact us.