The Biggest Threat to IT Security
The Top Threat to IT Security: Your Staff
It took two years for a criminal gang to gather up to $1 billion from banks all over the world, but they did it without ever having to set foot in a bank. The Carbanak gang performed all of their robberies over the internet – and are still doing so, thanks to staff opening emails.
It seems the more technologically advanced our civilisation gets, the more vulnerabilities flourish. That's certainly been the moral of the last year or so in IT circles. With major corporations and government agencies still reeling from massive hacks, it makes sense that most companies are looking to cybersecurity. And the more they look, the more they find one yawning chasm of vulnerability: their staff.
Staff members are an increasing threat to corporate cybersecurity, and it's not hard to see why. Individual staff members are tiny packages of unpredictability that no IT or security department can account for. That's why measures need to be taken.
Education is key
Educating staff is a key point in making sure they take security policies seriously. Imagine it from their point of view: you're working in a large corporation, and every month or two you get an email with seemingly arbitrary instructions relating to 'security'. It can seem like just another hoop the corporate infrastructure is hauling you through.
Compare that with getting a briefing on how security measures actually help keep information secure (including the staff's own personal information). Education about how staff choices affect company security can ensure that staff members take their actions seriously. Discussions about corporate hacks can make the issues more relatable and put security in a real-world setting.
'Password' is not a password
Well, it is if you want to give your information away. The greatest point of vulnerability when it comes to staff is passwords. Although a technologically literate person might think it reasonable to assume that everyone uses complex passwords, research has shown that some incredibly simple ones are still in use – including the word 'password'.
This is an area where idiot-proofing seems to be required. Security notices should give solid guidelines on what is and is not appropriate for a password, including the range and number of characters that should be used. Marc Brown from Spider Labs advises that pass phrases might be an even better solution than passwords: 'Passwords, even those with complex combinations of letters, numbers and symbols, are no longer sufficient protection for your network. Passwords that were once considered almost unbreakable can now be cracked in a matter of hours or days. Passphrases are longer but need not contain numbers or symbols which makes them easy to remember, eliminating the need for them be written down or stored.'
Other security matters
The sophistication of corporate hacks should not be underestimated. Hackers hunting big corporations have been known to cyber stalk individual staff members on social media just for the opportunity to tailor phishing emails. Staff should be educated about keeping their own data secure online as a basis for keeping your company secure. Making it personal will help.
If you are looking for a simple way to start, try using a password security systems such LastPass.