Security Connected

Friday Security Highlights: Security Awareness Tips from Dr. Manzer’s Security Consulting

0
By on Dec 09, 2011

Let’s be honest – everyone thinks they’ve got a great web security solution these days. Why wouldn’t they? It’s scary out there.

I love this video for a couple of reasons. First, it’s worth more than a few good laughs (“Honestly, are you friends with anyone in Africa?”). And second, it’s a funny take on a serious security issue, one that many of you voiced strong opinions on during yesterday’s #SecChat – organizational security awareness.

At the end of the clip, the bold entrance of the McAfee logo conveys a core message; that businesses need a solid, professional security technology platform. Less obvious is the message woven into the beginning of the clip. Behind the humor and silliness at Dr. Manzer’s consulting firm is a legitimate threat that all companies need to be taking seriously: the threat of human error.

Earlier this year, the U.S. Department of Homeland Security ran a test to evaluate how easy it was for hackers to gain access to official computer systems through employees. The result is something that security professionals, through experience, have known for awhile: humans are in fact the weakest link in cybersecurity.

DHS staff secretly planted CDs and USB drives in the parking lots of several government buildings and private contractors. Of the devices that were picked up, 60% were then plugged into work computers. Even more telling, if the device or CD case was branded with an official logo, 90% were installed.

What’s most unsettling about the results of this test isn’t necessarily the overall percentage of devices that were installed, but the difference between that 60% overall rate and the whopping 90% install rate attached to the officially branded devices. The simple addition of a brand name or logo lulled victims into a false sense of security – a natural response of trust that hackers are keen to exploit through increasingly sophisticated cyber attacks. This is especially relevant during the holiday season, when deadlines and holiday plans amp up stress, making employees more likely to clicking on links and fake advertisements that they would have otherwise passed by. It becomes all too easy for cybercriminals to make their way into a company network by sending out emails disguised as holiday coupons or giveaways.

Because they rely on psychological rather than technological limits, these attacks have been uniquely successful – especially because up until now, employees have been poorly trained on how to avoid them. During a contest earlier this year at Last Vegas’ Defcon security conference, hackers competed to persuade workers at large U.S. companies to reveal sensitive information. In one case, a contestant was able to persuade a worker to give him information on the configuration of her PC, simply by pretending to work for the company’s IT department.

Ultimately, what these experiments tell us is that information security within an enterprise must fully encompass both technological and human factors. This includes building a comprehensive security strategy with technologies that can help protect users from sophisticated assault, but it also requires a plan for regular, up-to-date security training that addresses the latest threats and criminal techniques that employees need to be aware of. Lack of awareness is one of the greatest threats to security networks, but it is a risk that can be mitigated.

Thanks for joining me for another week’s Highlights – and stay tuned for more on this topic in the Security Connected blog, where I’ll be posting a recap of our December #SecChat on cybersecurity awareness next week. For more advice on how to protect your enterprise from scams this holiday season, check out McAfee’s 12 Scams of Christmas, and be sure to follow our Twitter handle, @IntelSec_Biz for regular updates, tips and news from the world of enterprise security.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>