What is lurking inside your company’s systems that is making them vulnerable to attack? Hacking, phishing and other types of attacks are often considered to be externally driven, with gangs of anonymous hackers operating from halfway around the world using Internet connections to break in and wreak havoc. But surprisingly, a significant proportion of network security events happen on the inside. Depending on the particular organization or industry, this percentage can range from 35% to 90%. In addition, a significant portion of the vulnerability of any system starts passively—in other words, with features and items that are not active viruses or cracking tools, but whose mere presence eats away at the defenses.
Consider busy employees. They have lots to do, and constant distractions pull their attention away from practicing proper computer hygiene. In their haste to get to a meeting or catch a flight, laptops are lost, phones get misplaced and USB drives are borrowed. As convenient as these devices are, much of the data and documentation stored on them is unencrypted. Few people ever choose to assign a password to a Microsoft Word file; it takes too much time. The same goes for other types of passwords, too. It is time-consuming and annoying to change them every two weeks, especially if they are difficult to remember. A proper password should be a string of 16 or more essentially unintelligible characters, but most of us just don’t like to do that.
Then there are those who are simply not around anymore. People leave, some get fired and others simply get promoted or move elsewhere. This results in many dormant user accounts lurking in the depths of the system. Still more accounts may never have been activated. They sit there, with their default passwords invisible due to inactivity, a fertile place for sophisticated thieves to set up shop and establish a back door.
Some employees access files, directories or other areas by accident, assigning documents to the wrong drives, clicking on the wrong link or simply not knowing what they are doing. Such mistakes are not the fault of the individual. Many people have never been able to bring their degree of computer literacy up to an adequate level. Even those who are familiar with password changing regimens, and who do not use a stranger’s USB drives, may be unaware of sinister activities such as Wi-Fi website spoofing, for example. This happens when the free Wi-Fi login for an honest-to-goodness coffee shop is replaced or overshadowed by a sophisticated reproduction working in the same hotspot, inviting workers to share everything on their mobile devices with them.
These actions may fly under the radar, especially when security does not or cannot maintain sufficient definitions of “correct” or “normal” activity on a network. Security specialists themselves often do not have the resources to adequately police internal activities, even when a budget has been established.
It is evident that none of these human-sourced weaknesses are the result of a specific virus or action. They are generally passive in nature, relying on the fact that people are both goodhearted and under great pressure. However, these activities are the types that offer safe harbor to malignant operators, who either hack in and sniff out these soft spaces or already work within the organization and are intent on sabotage or espionage.
network security will always be an ongoing battle. The enemy is relentless. That’s why a strategy must come from the top. It should focus not solely on technical solutions, but also on human elements such as time management, planning and communication, backed up with adequate and ongoing training. For as distanced as these soft skills seem to be from the digital world of computers, they are the levers by which the bad guys force open a crack and move inside.
For more on this topic, go to businessvalueexchange.com, sponsored by Hewlett Packard Enterprise.
By Steve Prentice
