How do you secure your data? The standard response is that there’s a firewall and antivirus system for that – even some IT security specialists think this is adequate.
Cyber threats from the likes of trojans, worms, viruses, DoS (denial of service) and hackers are a real threat; but they are by no means the only security threats facing companies, which is why it’s really important that businesses think outside of the box.
Let’s get physical
Instead think physical: that is, physical devices used to steal data or, more often, kit left on trains or stolen from employee’s homes.
Many companies spend tens of thousands on hi-tech security such as retina scanners, biometrics, firewalls, antivirus scanners, perimeter fences and multi-factor authentication, but fail where it matters most ... human error and physical assets.
Paradoxically, advanced security software can often lead to a lax attitude towards security among staff, they forget that security is only as strong as its weakest link. Hi-tech security can only go so far and the problem is that it’s difficult to put a cost on the human factor. Data Defender’s research found that 64% of UK workers received no training on IT security issues, including prevention of malware and loss of sensitive data.
Perhaps more worrying is new research that shows that one third of all SME closures are due to human error. Intrusions and data leaks often have a built-in human element such as when someone sends credit card details by email and these end up being hacked into or intercepted. Or when someone opens a dodgy email which installs a trojan horse into a network which in turn opens an illegal tunnel into it.
A firewall offers some protection from remote hackers trying to lift data from inside a network, but what about data which is moving around electronically or physically on USB pen drives, USB hard drives and optical media such as CDs and DVDs? Data on the move is vulnerable and it’s hard to stop and monitor unless there’s a system in place.
Many UK companies either have no device control around removable media or have a policy stating no USB devices should leave the building. The problem with such a policy is that ‘rules are meant to be broken’. Such devices raise three problems: data loss, data exposure and malware spreading; of these, data exposure is the greatest threat.
Nobody would leave highly confidential client financial documents lying around the office, at home or in a train carriage. A USB pen drive is just the same.
You have USBs?
An open USB policy is a bad idea since thousands of USB drives are misplaced yearly. There are three options: introducing a blanket ban or port-blocking software; supplying all staff with a secure USB drive; investing in automated software to encrypt and audit data written to USB devices. For larger companies the third option is the best as it locks down data written to USB devices and other media.
Laptops are another common source of data leakage and recently parts the public sector have been fined for losing laptops. The Windows log-in prompt does not offer sufficient protection against a skilled IT professional and can be broken into in minutes. The Information Commissioner’s Office (ICO) now recommends that all laptops and removable media have full disc encryption installed.
Finally, one of the most dangerous attacks is from social engineering. People are expected to be friendly and helpful and these are traits that can easily be exploited. Social engineering (social as in social skills and engineering as in to engineer an attack) comes in three forms: by phone, in person or by email.
Do staff always identify people on the phone or in person? Probably not. Nine times out of ten a Fedex uniform, some paperwork and a parcel gains access to an office. Few would question such a ‘normal’ individual going about his business.
Someone posing as a manager on the phone and making all the right noises – a sense of urgency or pulling rank – can easily con staff into handing over a vital document or password. Training is the only solution to combat social engineering attacks.