Yesterday, the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) issued a press release revealing their survey results on accidental data loss vs hackers.
They surveyed 500 compliance professionals. The upshot of their press release is as follows:
- 70% said they were well or very well prepared to thwart network intrusions
- 61% said an accidental breach by an employee was very or somewhat likely
So, the conclusion is that employees are a big worry for companies, but hackers aren't.
In light of recent events - I am thinking of RSA's recent disclosure - these two areas of concern are perhaps not easily separated from each other.
Data is certainly the goal of many of today's organised attacks. And hackers want the easiest route in and out of a company. So, duping an employee though a social engineered communication and persuading them to assist (unknowingly) in infecting their work computer is a rather attractive approach.
Consider this scenario:
I find your details on a well-known recruitment website, called LockedIn, and find out stuff like your job title and company name. Then, I call you up, introduce myself as a recruiter for [insert well known respected company name here]. I explain that you have been highly recommended to us, and we want to send you additional information on [insert amazing job title at well known respected company name here]. Can you provide your email address so we can fire it over? Wouldja? Do you think any of your colleagues would?
Even if you are wise enough to avoid such a trap, I am sure you would agree that it wouldn't take too long to find a suitable victim.
Of course, the attachment I fire over is infected - perhaps with a zero-day exploit. Once the machine is infected and under a hacker's control, snarfling up permissions and sneaking around looking for key data, your company is up the proverbial creek without a paddle.
The importance of educating users
So, yes all employees are vulnerable to being duped through social engineered communications. But education can make us less attractive targets. I know - you are sick of hearing about how education can help, but narrowing the divide between the IT team and other employees is a key component to having more eyes watching out for suspicious activity.
If employees feel they can come to IT for advice and help rather than a slap on the wrist for doing something stupid, the company as a whole is much better off.
So back to our scenario: you get the job-of-a-lifetime attachment in your inbox, and perhaps you open it and it seems strangely unsuitable. If you get this niggly feeling that something isn't right, instead of closing it and forgetting about it, you call up IT and say, ‘something weird just happened - maybe you want to look into it’.
Multilayered defences needed
To fend off today's sophisticated multilayered attacks, you do need a multilayered defence. Technology (Anti-virus, firewall, DLP, encryption, patch management, etc) is obviously key, but so is user education: what to publish on social networks, what to avoid sharing with unexpected cold callers, emails and attachments. Together, these approaches will riddle the road to your sensitive data with difficult-to-overcome obstacles.
And also you can check out these free Sophos tools.