Where the vulnerabilities are – It’s 3:40 on a Friday afternoon, and an urgent email hits a back-office employee’s inbox. As the employee scrambles to get ready for the market-close and head off to a three-day weekend, it looks like the portfolio manager for a major client needs him to wire USD125,000 to a bank in Grand Cayman.
His colleagues are tied up with other matters, and, since he’s eager to be responsive to this important client’s request, he follows the wire instructions in the email to complete the transfer – with just a few minutes to spare.
Unfortunately, in his haste to complete the transaction request, the employee neglected to see the carefully crafted and well-disguised typo in the domain name of the email address. That message wasn’t from a portfolio manager. It was from a hacker in Eastern Europe cleverly concealing his identity. Just minutes later, after the theft was detected, the employee called the bank to reverse the wire – but the money was already two hops away, never to be seen again.
The reality is: the Hollywood stereotypes of cellar-dwelling, over-caffeinated nerds devising new ways to slip into corporate networks are fading away. Today, more often than not, the nightmare scenarios involve social engineering and sophisticated operations involving dozens or hundreds of “employees” set up in office parks who prey on human weaknesses, not computer weaknesses. That’s because, even while the sophistication of perimeter security and vigilant monitoring increase, the greatest vulnerability, sadly, remains the people who use your IT systems to conduct transactions and access sensitive data.
This fictitious investment firm didn’t need more firewalls, more passwords, or more encryption. What it needed was an internal culture of security – an ongoing, organization-wide commitment to defining and adhering to careful, thoughtful policies that reduce or eliminate “people vulnerabilities” through assessments, awareness, and education.
To avoid becoming the victim of a phish like in the scenario above it is important to:
- Check the sender email address as well as “to” and “cc” fields
- Slow down to ensure you are acting professionally
- Be wary of generic greetings
- Only click on links and attachments that you are expecting
- Check for improper spelling
- Watch out for overwhelming urgency requesting personal information
What is a Security-Oriented Culture? Sometimes all of the firewalls in the world won’t stop the most damaging attacks. In many instances, employees are “holding the door open” to criminals or inadvertently “leaving the keys out.” At other times, disgruntled employees act with more malicious intent.
Unintentional employee threats include weak or shared passwords, unsecure equipment, improper disposal of hard copy documentation, visitor access to networks, and feeling rushed. Some intentional or malicious employee threats include disgruntled employees and those in search of monetary gain.
So how do we strengthen these people-centric security vulnerabilities? We must create a security-centric culture. And, above all else, that needs to start from the very top of the firm (people who, ironically, due to the volume and sensitivity of the information they access and the distractions their fast-paced lives encounter, can sometimes represent the greatest source of vulnerabilities to information security). It’s essential that they visibly and fully commit their unwavering support to your efforts to improve security.
Now that you understand the importance of security culture and what it means to have a culture of security, stay tuned for Part Two on this topic (coming tomorrow) in which we’ll discuss and breakdown four steps to creating an Internal Culture of Security.