| While managing networks at a U.S. Air Force base in the late 1990s, Benjamin Craig found that people, even military personnel, had little understanding of computer security. «So we had to constantly educate our colleagues about the threats of so-called 'social engineering,'» Craig recalls. «Social engineering, or 'social engineering,' refers to the methods hackers use to trick users into revealing passwords and gaining unauthorized access to computer systems.
After leaving the military, Craig became vice president of River City Bank in Sacramento, California, in 2001 and soon organized social engineering training for employees. It had immediate positive results. «We suddenly discovered that many of the employees from the service departments, wandering freely around the bank, were often in places where they should not be,» Craig recalls. Of course, this does not mean that all of them did it maliciously, but their uncontrolled movements created favorable opportunities for potential attackers, which is why the bank increased its vigilance and installed a video surveillance system. In addition, River City Bank developed rules for how employees should behave in situations when they encounter a threat or potential problem.
River City Bank is the exception rather than the rule. For two decades, warnings have been circling about the vulnerability of electronic data to a variety of threats, yet a Cisco survey of 2,000 employees and IT professionals in Australia, Brazil, China, France, Germany, India, Italy, Japan, the United Kingdom and the United States found that companies have done little to raise their employees’ awareness of information security. Corporate data remains at risk, and the biggest threat comes not from hackers but from carelessness and user error. A global study commissioned by Cisco and conducted by analytics firm InsightExpress suggests that employee education should be the top priority in combating data breaches.
Neglecting such work is especially dangerous today, when the law and the market severely punish companies for data loss. Moreover, most often, data is lost not as a result of hacker attacks, but due to improper handling of information, errors, negligence, technical problems and other reasons that are not malicious. Companies suffer increasing damage from the loss (or so-called «leak») of data, which is increasingly transmitted over networks and communication channels. «The network has become a real platform for modern business,» says Christopher Burgess, senior adviser at Cisco for information security, one of the co-authors of the book Secrets Stolen, Fortunes Lost*. «The volume of data in networks has reached an unprecedented level and will only grow in the future.»
Surprisingly, but true: the greatest security threat comes not from exotic viruses and sophisticated hacker attacks aimed at breaking into your servers, networks and storage systems, but from the carelessness of users who voluntarily share information with strangers and transmit corporate information using unprotected personal devices — cell phones and PDAs.
«Companies are right to worry about some new features, such as corporate blogs, where uncontrolled information sharing can lead to big trouble,» said Phil Hochmuth, a senior analyst at the Yankee Group in Boston, US. He said some of the new threats are not caused by malicious intent, but by carelessness and inattention on the part of users.
While security technologies still play an important role in preventing data loss, the study highlighted the urgent need for behavioral change. “Companies of all sizes and professionals of all types must understand how user behavior impacts data loss and what it means for the company and each employee,” said John Stewart, Chief Information Security Officer at Cisco.
A global study commissioned by Cisco and conducted by InsightExpress identified the top ten behavioral factors that lead to data loss:
1. Arbitrary changes to security settings on computers.
2. Use of unauthorized applications.
3. Access to unauthorized networks and devices.
4. Disclosing confidential corporate information.
5. Sharing corporate devices.
6. Blurring the lines between corporate and personal devices and communications.
7. Leaving corporate computers on and unlocked unattended.
8. Storing usernames and passwords in plain sight in unprotected locations.
9. Losing portable devices containing important data.
10. Uncontrolled movement of unauthorized persons around the company premises.
Training employees to behave in a way that prevents data loss is not difficult. It does not require teaching complex sciences or drastically changing existing practices — it is enough to introduce generally accepted rules of «personal IT hygiene» (the same as brushing your teeth or washing your hands before eating). These rules should become an integral part of corporate policy, which should be communicated to every new employee and steadily disseminated throughout the company through periodic training and communications. «The source of many problems is that company management for some reason believes that employees know how to use information technology on their own,» says Phil Hochmuth. In theory, people really should understand that confidential information should not be divulged to everyone they meet, a computer should not be left on unattended, and sticking a reminder with a password on the monitor is just stupid. But, as the study showed, employees of companies from a wide range of countries and regions either do not know these rules or, more likely, do not consider them mandatory.
Cisco trained its employees on the correct behavior, focusing not on administrative prohibitions, but on positive recommendations. «We show short video clips illustrating information threats and suggesting the correct answers,» says Christopher Burgess. Employees should be aware of existing threats and that each of them is a potential target for attackers, adds Cisco Senior Advisor for Information Security.
Security threats will never go away, but they should not prevent companies from successfully developing their business. As Christopher Burgess noted, «fear of threats should not stop your business. If employees are aware of possible threats, and processes and technologies are under reliable control, you can calmly focus on developing your business.» |
