By Doug Pollack, ID Experts
Originally posted on the ID Experts blog. Reposted with permission.
Cyber-attacks and the resulting data breaches are all over the headlines. Just this year, we’ve seen the Anthem breach (80 million individuals affected), a billion-dollar cyber-heist that affected up to 100 banks worldwide, the OPM data breach (21.5 million people affected), and the Ashley Madison breach (37 million people affected). In October 2015 alone (National Cyber Awareness Month, no less), we’ve seen breaches at Scottrade (4.5 million individuals affected) and a data breach at credit-reporting service Experian that affected as many as 15 million T-Mobile customers. Cyber-attackers exploited various methods—viruses, malware, etc.—to grab information from these organizations, but a common thread running through the majority of major breaches is human error, often people being fooled into giving thieves back door access into critical information systems. The Anthem breach and the bank heist are thought to have originated with phishing attacks against employees. According to Wired, Ashley Madison hasn’t released the cause of its breach, saying only that it was not due to a software vulnerability, fueling speculation that it was perpetrated or enabled through the credentials of a current or former employee. The causes of the Scottrade and Experian breaches are under investigation. (In 2014, security reporter Brian Krebs reported how a unit within Experian had been tricked into selling personal and financial records on more than 200 million Americans to an “identity theft service”—a supplier to cyber-thieves—operating out of Vietnam.)
The point is that, while cyber-attackers are becoming ever more sophisticated at stealing information from business systems, gaining entry into those systems is relatively easy because employees, vendors, and sometimes customers are not very sophisticated at keeping them secure. You can’t stop mistakes and you can’t stop breaches 100 percent of the time, but you can teach breach resistance, and that will keep more of your data safe, more of the time. Let’s look at some of the basic security concepts and practices your employees, users, and customers need to know.
The foundation of a breach-resistant user base is a culture of security: not just periodic training, but ongoing communication about threats, risks, and best practices. Brian Contos, chief security strategist for Norse, says that building security consciousness takes collective effort. In a recent Dark Matters article, he says that annual security training tends to be viewed as compulsory rather than an opportunity to learn useful information. He recommends holding frequent, interactive training to educate the workforce on current threats and defense tactics, and which includes executives, management, and employees together to share experiences and help educate each other. Your customers can also be an unwitting source of data breaches if they share information in the wrong places, so consider sharing security tips in a customer newsletter or other customer communications.
Awareness programs should also promote basic security hygiene reinforced with ongoing information about new threats and the consequences of poor security practices. At a minimum, every user needs to know that data theft and cyber-attacks are a daily concern, and that what they do in their personal lives can affect their privacy and financial well-being, as well as the organization’s.
Phishing, especially targeted, or “spear” phishing is typically the first stage in a multi-stage cyber-attack and, as noted above, successful phishing has initiated a number of major breaches in recent months. But you can fight back: a recent Ponemon Institute study found that phishing training led to employee click rates on phishing email being reduced an average of 64 percent. Several companies (including Wombat Technologies, which sponsored the Ponemon Study) offer phishing training, but here are some basic tips from US-CERT that every user should know.
- Don’t open unsolicited emails, click on links, or open attachments in unsolicited emails.
- Be suspicious of claims that are too good to be true. Typical examples are weight loss claims, sexual enhancement claims, and people claiming to want to give you large sums of money. (Initially, so many of this last type originated in Nigeria that they were dubbed “Nigerian 419” frauds, after a section of the Nigerian penal code.) These are often easy to spot because of poor spelling, wrongly used legal terms, and other mistakes.
- Be careful in responding to or providing information in response to unsolicited emails from banks, the IRS, or other organizations, and don’t fall for scare tactics. Anyone you deal with already knows your name, your bank account number, your medical ID number, etc. They won’t call asking you to “confirm” it. Links in these emails often lead users to spoofed websites that look legit but are designed to collect personal information from unsuspecting users. If users aren’t sure about an email, they can look up a number (it’s usually on the back of a credit card or ID card), and call the organization directly to check whether the email is legit.
- Phishing also happens on social media, so warn users not to share personal information with someone they don’t know in real life, and if they receive an unusual communication that seems to be from someone they know, call that person and check it out.
Phishing attacks can come through external devices, but for internal networks, you can supplement user awareness programs and minimize user exposure to phishing attacks and with solutions such as filtering technologies; blocking images, links, and attachments; and email authentication.
A CSO Magazine article called mobile devices the “holy grail” for hackers seeking to breach an organization’s security perimeter, and noted that “Small and midsize businesses face higher risks because they’re often not able to keep up with BYOD policies, and threats can change every three to six months.” With mobile devices, many people are now online virtually every waking hour, giving cyber-attackers 24/7 access to mount phishing attacks and deliver malware that can attack business networks from inside when the user logs in with a mobile device.
Employees need to understand that their personal mobile devices face the same threats as any other computer. IT Departments need to conduct ongoing training and enforce mobile security best practices and habits among employees in order to keep their mobile devices secure:
- Always install OS and other updates with security patches promptly.
- If you bring your own devices to work, run security software on them.
- Don’t download apps from non-trusted sources. (As of October 7, 2015, mobile security site Spreitzenbarth listed over 180 malware families found in Android apps, and, although Apple screens apps going into its App store, the XcodeGhost malware is being found in a growing number of iOS apps.)
- Avoid storing business data on personal devices.
- Don’t share a device used at work with a friend or family member. Installing apps is easy, and kids don’t think twice about downloading any app that looks appealing. A number of the malware-infected iOS apps are children’s games, and of course, they are mostly free.
Stop Visual Hacking
Visual hacking is exactly what it sounds like: people stealing information by looking at private information on a screen or on paper or by watching someone enter it on a computing device. We’ve all been warned to make sure no one is watching when entering our PIN at an ATM. But “shoulder surfing” isn’t limited to ATMs, and it can happen in public or in the workplace. In a study sponsored by manufacturer 3M, Ponemon Institute found that nearly half of visual hacking attempts were successful, and in 88 percent of trials, a white-hat hacker posing as a legitimate visitor was able to infiltrate a workplace and obtain sensitive information because it was left in plain sight. In 70 percent of the trials, office workers didn’t even confront the hacker looking at sensitive information, and in only one out of 30 trials did a worker report the suspicious activity to a supervisor or manager.
To combat visual hacking, users need to be trained to be aware of their surroundings, to minimize exposure, for example, by working with their backs to the wall when in public areas, to use lock screens and secure work areas when leaving their desks, and to report suspicious activity right away. 3M also recommends using privacy filters that allow only the user directly in front to see what’s on a computer or device screen. (3M is one of several manufacturers of privacy filters.)
No Foolproof Solutions
Information security is costly. In July 2015, Michael Brown, CEO at Symantec, told CSO Magazine, “The demand for the [cybersecurity] workforce is expected to rise to 6 million [globally] by 2019, with a projected shortfall of 1.5 million.” The article also cited a Dice report that found the average annual salary for an infosec engineer is higher than the average CSO salary. Not every organization can afford dedicated infosec staff, and security and privacy decision-makers have to consider the costs and benefits of new security products and services, from data analytics to threat intelligence.
But the bottom line is that, regardless of your security and privacy budget, all the experts and technology in the world won’t protect your organization’s information if the rest of the staff and users leave the door wide open to cyber-attackers and thieves. Your immediate best investment is to turn every person who deals with your systems into a security person. (The Ponemon Institute study found a 50x ROI on security training against phishing.)
As cyber-security expert Vince Crisler pointed out in a Dark Matters article, “To ‘win’ in cyber security, defense must be right 100 percent of the time, while offense only has to be right once. We must wake up to the reality that defense is an impossible task; no matter what actions we take, we will lose.” But if you can stem the tide of user mistakes, if you can build breach resistance into your workforce, your business partners, and your customers, you’ll lose less information and less often. You can start today with your staff and customers. In the next installment of this series, we’ll talk about ways to build breach resistance in your vendors and business partners.
As chief strategy and marketing officer, Doug Pollack, ID Experts, is responsible for the strategic direction and marketing of our innovative software and services. He has over 25 years of experience in the technology industry, having held senior management and marketing roles with Apple, Inc., 3Com Corporation as well as several venture-backed enterprise software startups. He holds a BS in Electrical Engineering from Cornell University and an MBA from the Stanford Graduate School of Business.