What’s the biggest risk to your digital security?
Your own staff may be a bigger threat to the integrity of your systems than any piece of malware or form of attack. And while personnel may behave in unpredictable ways, there are simple measures you can take to mitigate the dangers. The increasing frequency and sophistication of targeted attacks on an organisation, such as ransomware and co-ordinated distributed denial of service (DDoS) attacks, is worrying. In the first quarter of 2019, the number of DDoS attacks increased by 84%, compared with Q4 2018, according to a Kaspersky Lab’s DDoS Q1 2019 report. But it’s not just external threats that organisations have to worry about. The greatest risk to security is often an organisation’s own personnel. This is not necessarily because they want to cause any harm – although you do occasionally hear of problems being caused by malicious members (or ex-members) of staff, and that’s another potential threat that needs to be considered. Hackers will always focus on the point of least resistance. They will target organisations with ransomware or DDoS attacks, as the stakes are higher for businesses who can’t afford the downtime or damage to their reputation. But when it comes to data or identity theft, they are just as likely to focus on the vulnerabilities of individuals, as they are usually the weakest link in the security system of any organisation. In fact, over half of all reported cyberattacks have involved hacking targeted at the personnel of the organisation. Embedded vulnerabilities Most of the problems are due to staff either trying to take short-cuts or being careless in some way. You will have heard the term ‘shadow IT’, which refers to the practice of employees circumnavigating company policy to make their job easier, such as using unauthorised cloud-based services or accessing company systems using their own devices. They may even have gone so far as to deploy apps or systems within their part of the business that have not been checked and authorised by IT. This can lead to systems and processes being less secure than they should be and it’s a potential vulnerability that hackers often seek out and try to exploit. This is a serious problem in many organisations now, because often the ‘shadow’ IT system will become integrated into everyday processes without being noticed. The vulnerability is thus embedded into every-day activity. Staff being less than stringent when it comes to setting passwords and following security policy can also cause serious problems. Hackers will often use quite sophisticated social engineering to get staff to reveal their user log-in details, for example. When information is provided willingly – if inadvertently – any protection designed to protect such details becomes totally ineffective at a stroke. Inappropriate use of corporate-owned devices – to access unauthorised websites, for example, and the care of company devices – leaving them unprotected in a public place or accessing an unprotected WiFi connection, for instance, can also be issues. This is basic stuff really and tightening up on enforcement should not be that difficult. But it’s important to guard against complacency – amongst staff and IT. People can soon slip back into bad habits. Illegitimate access If hackers can exploit vulnerabilities caused by shadow IT systems or careless behaviour, they may be able to get inside the network under the cover of a legitimate user account and access sensitive data without being detected. It is also worth remembering that people won’t necessarily admit that they have done something wrong, made a mistake or ignored security policy. Staff often try to cover their tracks for fear of getting into trouble or being disciplined. This can lead to bigger problems later, as the vulnerabilities caused by unauthorised or inappropriate use of IT won’t have been properly addressed. Of course, the big problem is that all of us are only human. People are unpredictable. It is impossible to control every aspect of their behaviour all of the time. What you can do is minimise the risk by thoroughly auditing systems and ensuring that everyone is aware of the security policy and the importance of following it to the letter. You can’t control people – but you can give them the knowledge, tools and encouragement that will minimise the extent to which your organisation is exposed to hackers who know how to exploit the unpredictable behaviour and weaknesses of the individual. To find out more on SCC’s Security offerings please click here.