make a good business better

Blog Information Security

Print Divider Print Divider Branding

Human Error: Why Your IT Security Policy Can't Ignore the Human Element

08/09/2016  |  By: Jason Riddle, CISSP, President, Information Security


Social Logo Social Logo Social Logo Social Logo

A single (unsuspecting) person can bring down your entire network. Just by trying to be nice.

Consider this: You get this urgent email from a friend. He’s traveling overseas and he’s lost his wallet. You’re surprised when you hear this; he doesn’t usually do things like that. Plus, he never even told you he was going on vacation. But he needs money quick, so you wire him a couple hundred bucks.

Spammers, phishers and pharmers—by these or any other name—are highly-skilled criminals who are able to persuade people to send money, reveal confidential information and otherwise facilitate access to data that the hacker can’t wait to get his grimy hands on.

Without a commitment to a standard IT Security Policy and a company-wide education program, you are vulnerable to social engineering.

Using Social Engineering to Hack Systems—an art form.

Social engineering is the practice of manipulating a person’s trusting nature to help commit a cyber crime. What are some of the creative ways these nefarious folks use their wily ways to steal from us?

  • They persuade us to click through a seemingly benign email, allowing rootkits and Trojan horses to gain a foothold in the corporate network.
  • They send us emails from financial institutions—they look so official!—telling us there’s a problem with our account. The next time we log in, they’ve got our user name and password.
  • They make a bumbling call to the IT helpdesk. “I can’t BELIEVE I’ve lost my password again. What a ditz I am! Can you help me out with this?”

And their techniques are not limited to the network:

  • The kid at the register in the grocery store swipes your credit card twice, then orders an XBOX from Amazon later that evening. (Upon later reflection, you did recall that he wouldn’t look you in the eye.)
  • And here’s another version of ‘credit card skimming.’ A mini card reader is attached to the ATM or gas pump you’re using, reads your card and sends information to someone who will enjoy a nice vacation—on you.
  •  And don’t forget about the obvious. Data thieves lurk everywhere, peering over the shoulders of unsuspecting victims to make a mental note of user information.

Penetration Testing—a must for any IT Security Policy.

Every company should have an IT Security Policy in place that all employees should be made aware of. Surprisingly, many employees have to be told not to respond to emails asking for sensitive information, not to click on a hyperlink when the domain name doesn’t match the company you expect it to and not to talk about confidential information except with authorized personnel.

As part of your IT Security Policy, consider adopting the best practice of penetration testing. Penetration testing is a simulated way to find out if a network is at risk for intrusion—either via the network itself or the people who use it. Think of it as hiring a mystery shopper, if you will.

Best performed by a cyber security firm, professionals make attempts to break into the network in a way that no one in the company has thought of before. They might try soliciting confidential information via email, by telephone and even by trying to enter the data center by sticking a ruler under the door, thereby making the motion sensor move. (We’ve seen everything!)

The information these professionals are able to obtain may surprise you. A well-intended member of your staff can innocently create disastrous outcomes. Everyone needs to be reminded that loose lips sink ships. And companies.

Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter @lbmcsecurity. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense servicesContact us today!