This whitepaper highlights the often overlooked weak link in cyber security- your staff. You will learn about the issues, the statistics and the solutions. Let’s start with a real security nightmare from one of our clients.
The Big Cheese's Mouldy Passwords
Sometimes they are intentional, but most times security breaches are mistakes or simple lack of knowledge.
Our client, “ABC Inc.” is a very profitable 50 person financial services firm. They were founded 20 years ago and have an enviable reputation. We’ve been serving them for years.
It all started this past Labour Day. It was 11:15pm when our Account Manager received an understandably frantic email from ABC Inc.’s CIO. The CIO “Phil” had been alerted that they were missing critical business data from their file servers. The missing files were highly sensitive and in fact only ABC’s CEO and “Phil” had access to them. They included client data, financial results and more. It was also discovered that almost 70,000 of the CEO’s emails were missing (accumulated within his inbox and send logs over a decade). A nightmare scenario.
Our Account Manager and Sr. Systems Engineer took immediate action. We took the file servers off line, isolated the IP and replicated the servers. Because the infrastructure was well configured, we were able to recover all the data as of the previous day. By 9:30am Tuesday, all the lost data was restored and the servers were fully functioning with almost no staff downtime. We were also able to restore the CEO’s Exchange folders and individual messages within a few hours.
But the very large elephant in the room was “how did this happen?” We started by isolating the servers, and then built a Splunk server and examined the hundreds of thousands of security logs. Our investigation was soon complete and the security logs were conclusive.
The data had been accessed and then deleted from the CEO’s home computer. This led to many more questions as the CEO wasn’t home at the time! At this point we didn’t know if this was a virus or an intruder.
We dug further into the records and discovered that the “weak link” was the CEO himself. He used the same password for many things, including access to these files. He also had disabled the password change requirement. In fact, he had not changed it in over 10 years. During those 10 years, a lot of people were given that password for trouble shooting issues and other reasons. Over the years of many people coming and going, at least one of them appears to have left disgruntled. It was as simple as that: an aging password that was over used and never changed. If not for the infrastructure we had in place, this would have been a disaster.
This begs the question; what do you do when you are the problem? Most of us have similar inadvertent holes and the challenge is how to find them and manage them. Where are yours?
Why are "We" the Weakest Link?
No matter what your size, information is likely your company's most important asset. Anyone with access to any part of the system, physically or electronically, is a potential security risk. The main security breaches caused by employees are:
- Generation X and Y grew up in the Internet age – where an infinite volume of information is as close as the nearest Wi-Fi hotspot. There is an expectation that digital information is readily available and free. This culture of carelessness is a real security threat. These generations’ digital habits risk devaluing information as a proprietary resource. Problems arise when employees treat data casually, sharing widely, sharing on social media, and taking valuable information with them when they leave.
- Same Staff- More Devices- IT staff are each supporting about the same number of employees but the number of devices has tripled or more. This is a result of the smartphone and tablet explosion and the BYOD (bring your own device) phenomenon. The complexity of handling these “additional” devices has opened security holes that are often exploited.
- BYOD- When you have a BYOD policy, there is the obvious risk of an employee leaving with your data on their device. What many organizations don’t factor in is that mobile apps for personal use may unwittingly allow third-party access to corporate information stored on their devices. These apps may also be pre-infected with malware, which might be instructed by hackers to steal information from the device without alerting the users. As well, should employees connect to open Wi-Fi networks, the corporate data stored on their devices might also be exposed.
- Lost and Stolen Devices- In their “Billion Dollar Lost Laptop Study,” independent research firm Ponemon Instituteconcluded that the average cost of a stolen laptop came to over $49,000—and topped $56,000 if the device didn't include adequate safety measures (which the majority in the study did not). The cost of the hardware and software replacement are just the start. The real costs are the recovery costs and legal fees. The study showed how these devices were lost:
- 43% were lost off-site (a hotel rooms, off-site business functions, etc.)
- 33% were lost in transit or travel
- 12% were lost in the workplace
- 12% were completely unaccounted for
- Weak Passwords- Too many of us use very weak passwords. These passwords are frequently attacked. That’s not the only issue. We’ve all used the “I forgot my password” button where you’re either sent an email or prompted to answer a few personal questions. Unfortunately, the security of the password reset function is often weaker than the password, making these functions attractive targets. Social networking sites have made it easy for bad guys to guess the answers to common “personal security questions” such as your maiden name, location of honeymoon, pets name, etc.
- Phishing- Is one of the most common security scams, whereby the opening of email attachments launches a virus. Individuals will send infected files incorporated as attachments with a catchy subject line in the hope that recipients will open them. The bad guys employ a number of ways to entice unsuspecting users into opening e-mail attachments, from pornography to phony security warnings and advice. Phishing schemes customized for individual targets are the latest trend.
- Size Doesn’t Matter- Many SMB’s think they are immune because they are small. “Why would anyone go after us?” They are wrong. SMB’s constituted 31% of targeted attacks in 2012, according to the National Cyber Security Alliance. SMB’s may have smaller pockets, but those pockets are much easier to get into. The bad guys always look for the “easy score” and avoid the hard ones. Remember the old story of out running the bear. You don’t need to be faster than the bear. You need to faster than the guy next to you.
Phishing for Dollars $$
Our client uses a type of two factor authentication with RSA tokens. Getting access to data is based on two factors -- something you know (a password) and something you have (an authenticator/token such as a USB token, smart card or key fob). When a user attempts to access a protected resource, he is prompted for a unique passcode. The passcode is a combination of their user’s password and the code that is displayed on the authenticator token at the time of log in. Without both, access is denied.
As we said, this hacking attempt was sophisticated and well planned. They first used an email Phishing scam to convince an unwitting employee to give up their password. The hackers got one half of the authentication with their phishing scam. At this point the hackers called the client pretending to be from tech support. Their story was that some of the tokens were malfunctioning. This employee was asked to provide the token number to verify if the one they had was defective or not. Lucky for our client this employee knew not to give up the information and the scam was put to a halt and all passwords changed. However if the employee had given in, the hackers would have had the ability to transfer money from the firm’s bank accounts. A disaster they may not have recovered from.
How well trained are your employees in not giving up their passwords? Does your firm need or use two factor authentication?
How to Defend your Organization from Itself
Modern security programs don’t come out of the box. They are an ongoing combination of technical protection and management of people. It’s the management component that is most often the weak link. To avoid becoming a target ensure your organization is doing the following:
- Standard Technical Protection- Firewalls, antivirus, active threat monitoring etc. Most companies have these. The biggest flaw we see is that they are not always kept up to date. The base level of protection here is not just technical. It is also the managerial process of the up keep.
- Educate, then Educate again, then again- It’s critical to get your employees to understand the risks involved and to then follow simple procedures. Repetition is key, as old habits die hard. Training needs to be memorable and impactful. This is not a do it once and you’re done project; best practices will change; people will forget and new staff will come in.
- Standardize Processes to Minimize the Human Factor- Companywide, standardized policies and advancements in technology will help. Don’t get stuck in old ways of doing things. Look for ways/technology that will automate processes such as updates, storage and monitoring.
- Be Humble, it will happen- People are people; mistakes will happen. Ensure you have a plan in place for when it does. Are your devices encrypted, can they be wiped remotely, how regular are your backups? Prepare for the worst and hope for the best. Also ensure you test these measures. We have seen many strategically brilliant disaster recovery plans not work when needed.
One Last Security Tale of Terror
It’s not always just your employees who are the weak links. It’s also your vendors, contractors, consultants and more. This last story is a short one. It involves a firm involved in foreign exchange. It has a large list of clients and handles a significant amount of sensitive financial data for those clients.
This firm was working with a number of vendors (with full NDA’s and other standard contracts in place) on various projects. One of these was a consultant who, for all the right reasons, had a large amount of sensitive client data on his laptop. While travelling for business he rented a car. The car was broken into. The laptop was gone.
This situation was unavoidable. But what wasn’t were the security procedures in place to be able to remotely wipe the hard drive of that laptop as soon as it was turned on. Without that in place the firm had to go into immediate action- informing clients, working on PR and getting legal involved. When the dust settled the total cost of the incident was over $2 million dollars. Luckily this firm was able to move on despite the financial loss. Smaller firms would not have been as fortunate.
How much sensitive data do your vendors and contractors possess? How good is their security? What would you do if a laptop with sensitive info was lost or stolen?
Get Started! It’s the 80/20 rule. You will get 80% of the benefit from 20% of the work. The sooner you start the sooner you’re protected.
Firewalls, antivirus, cyber-security policies, active threat scanning and network monitoring; these are just some of the tools Quartet uses with our clients to help protect our client’s data. However in our experience organizations can perfect all this but in the end the weakest link is often the human element.
This is because just about every technical countermeasure that brilliant engineers devise to protect systems and data can be accidentally or intentionally circumvented by the end users. The human being remains the weakest link in almost every information security chain.
There is no 100% guaranteed solution to this. However, technology is advancing to slowly make security “human being proof”. Through innovations such as two factor authentication and Quartet’s own service Pure Desk™, we can start taking the human element out of the security chain.
Stakeholders within organizations need to start asking themselves serious questions beyond the quality of firewalls and antivirus. Are your staff sensitive to how important your information and data is to the organization? Can they sniff out hacking attempts? Do they have proper passwords? What scale of protection do you need? Your exposure risk will be vastly different is you are a manufacturer vs. a hedge fund.
These questions are just the start. There is always much more to explore and delve into. Quartet can help. If you have any questions or need further information we’re always an email or phone call away.