Tuesday, August 2, 2011

Feeling Insecure? It May Be the People Around You

At the end of the day, information security is all about the people. In any discussion of security in the cloud or the security of digital information in general, people are the most significant element.

One can devote a lifetime of effort erecting all kinds of technical defenses including the latest in firewalls, intrusion detection, double or triple authentication, encryption, biometrics and other systems to keep the bad guys out. But all it takes is one errant click by an employee and all of this is rendered moot.

There have been a number of high profile hacks resulting in large amounts of sensitive data being obtained and exploited by groups like Wikileaks and Anonymous for political purposes. We also read about companies like Epsilon, TJ Max and Sony where huge amounts of personal information has been obtained by outsiders. Moreover, we know we only hear about a fraction of the actual number of hacks that occur. Often a company does not want to publicly admit they have been compromised and will simply pay off the hackers to recover or have them destroy the stolen data.

There is an ever escalating war between the security professionals introducing the latest approach to securing your data and the hackers who always seem to be one step ahead, uncovering vulnerabilities in software and either exploiting them for gain or publishing the means for others to do so.

But when you peel back the covers and look at how most of these security breaches happened it almost always involved an employee who was socially engineered into giving out information or clicking on a link that pokes the proverbial hole in the dike. People are the weakest link in security.

It is surprising, then, that companies continue to invest more of their time and money in complex hardware and sophisticated software, rather than education programs for employees. There is a long list of bad habits that should be addressed such as the use of simple passwords, unencrypted data transmissions, smart phones and laptops lacking a PIN or other access protection and installation of  games or other "free" software. Employees must learn to be highly skeptical of any links in an email, on a web site or in a chat session, and never give out information over the phone without verifying the identity of the caller.

Comprehensive training and frequent reminders coupled with the appropriate level of technology can provide a much higher return on investment and result in a far more secure computing environment.

What are some of the bad employee habits you have observed?

Captain Joe

Follow me on Twitter @JPuglisiLLC