Whilst good physical security is still essential and a key component of a holistic security solution, cyber criminals do not need to be anywhere near your business premises to break in and steal what is valuable, or even as the WannaCry worm indiscriminately demonstrated recently - hold you to ransom. What is more frustrating perhaps, is that if you have all of the world best technical security products, then they can use proximity or psychology to bypass them and still carry out their attacks.
This is why at Context, we consider ‘cyber’ to operate across three dimensions, in the digital, social and physical domains.
Time to throw out all assumptions and pay attention?
The global nature of the internet provides fantastic opportunities for connecting your business with a vast potential client base, with whom you are able to communicate and trade with effortlessly. Unfortunately, as with all things, if something can be exploited by criminals it will be - the internet is no different. Cyber-crime has fast become the option of choice for crooks across the world, as the internet provides a veil of anonymity and almost total unattributabililty for anyone wishing to carry out illegal activity on a previously unprecedented global scale.
Security Operations Centres – perhaps en vogue, but not the silver bullet!
One of my previous blog posts talked about the ever more pressing need to employ the services of a Security Operations Centre – the “virtual security guards” to complement the physical security measures you may already have in place. However, even a good SOC in conjunction with strong physical security measures will not be sufficient to keep the attackers out. The final (and most difficult) element of the solution to get right is the sociological element.
People – biggest threat or greatest asset?
An office or workspace can be made as secure as your budget permits, the list of measures available to deter would-be intruders is considerable; fences, locks, cameras, motion sensor alarms, biometric scanners – the list goes on. Similarly, a computer network can be locked down and made incredibly secure, for example, through the use of prevention technologies, user group permissions, software restrictions, a ‘secure by design and by default’ architecture and use of strong encryption.
However, both physical and technological security aspects can be rendered ineffective if the people that are given physical access to the premises or logical access to the network resources, are duped into doing something that may not be in their or their employing organisation’s best interests. This is social engineering or psychological operations, and it exploits the humanistic character flaws of being naturally trusting and willing to help, which represents one of the most difficult elements of cyber security to get right.
As has been stated numerous times, people can be (and often are) the weakest link in the security solution of any organisation. The internet gives criminals the opportunity to target via this vector, but paradoxically when equipped with the right tools, support and culture, people can actually be the strongest and most valuable element of a holistic security defence.
Social engineering – influencing and exploiting behaviour
At the heart of any business are the people. Training and educating them is time consuming and costly. Any training (and therefore non-productivity) will need to be costed and justified. Unfortunately, more often than not the benefits of cyber security awareness training are not immediately tangible, so perhaps only given limited resources, if at all. No doubt the managers in such organisations will report that some training has been conducted and therefore the directors may be unknowingly falsely placated that the risk has been reduced. In reality, unless the social aspects are properly addressed the risk is unlikely to have diminished and the time and money invested unlikely to be of any benefit at all.
Social engineering relies on an insider (one of your staff) doing something they shouldn’t (contravening policy/procedures), probably with good intentions (lack of training?). There are various levels of subterfuge that can be employed, depending on the technical ability of the criminal. Examples range from the basic sending generic phishing emails to huge address lists, to the more complex of conducting detailed online research to focus their attack on specific organisations and key employees. In conjunction with the more complex attack, once the phishing email has been sent the criminals can often make telephone calls to support and enhance the credibility of the action they are trying to influence the target carry out.
As a business, we have seen an increasing number of Business Email Compromises, where a network has been infiltrated through an initial highly targeted (and seemingly inconsequential) phishing email. Email traffic is then monitored and invoice payment details intercepted, changed and the funds diverted.
In one instance we are aware of, authorisation of a payment required the dual approvals, in the form of digital authentication of a worker and their manager. In order to achieve this, attackers created a fake support pop up, called the worker, and convinced them to get their manager to log into a compromised session. Providing the authority to process a fraudulent transaction. This demonstrates the lengths and brazenness of sophisticated cyber-criminal, and how their techniques will cross over from technical to social readily in order to complete their objectives.
I hear you ask, how can you protect your business and your employees from making mistakes that could be very costly for the business and embarrassing for the employee?
The answer unfortunately is not simple, it will be a blend of the correct training, supported with realistic and enforceable policies and most importantly be engendered in the correct security-focused culture that proliferates throughout the entire organisation, from the very top down to the bottom.
As with anything with a human factor, there can never be a 100% fool proof solution; people by their very nature will make mistakes. In line with everything concerned with security, the best approach and most viable solution will be all about reducing the risk, via the frequency or impact of those human errors, and within the budget and risk appetite of the organisation. With that in mind, ensuring that the Return on Investment is maximised will be at the forefront of people’s minds. Unfortunately more often than not this means having something tangible to show for the investment, be that a shiny new firewall or clever new intruder alarm, however this can ultimately give rise to a false sense of security – excuse the pun…
The key to addressing sociological aspects of security is fostering a vigilant and questioning cyber-aware culture that is rewarded for following procedures, even if staff “cry wolf” occasionally in being overcautious. To support your staff in keeping your information secure, there are 3 main factors to consider:
- Policies and Procedures – what guidance and direction is provided that supports appropriate action and informed decision making?
- Training and awareness – who across the organisation has been trained? How long ago was this? Was the training level appropriate to their role, responsibilities and risk profile?
- Testing – if and when were your procedures and awareness training last tested to establish how effective they have been. Either through realistic rehearsals and simulation exercises, or via technical penetration testing or exploitative red teaming?
All of this considered, perhaps it’s time to look internally at what security processes your business has adopted, and whether the culture, tools and training supports them being successful and delivering real security value through a reduction in operational risk?
After all, a cautious and security-minded staff are well worth the investment.