Lost laptops or disks, saying the wrong thing loudly on the phone on the train, leaving a folder of sensitive customer details in the pub – all can have a serious impact. People make mistakes. This article gives advice on what you can do to minimise the risk of human error.
Social Engineering is on the rise
“People are the weakest link at any level of security,” says hacker quoted in BBC article
People are often the weakest link to securing information within an organisation. Social engineering, where users are duped into giving away their passwords or other sensitive information has always been the easiest way to get information.
A report by Computer Weekly (September 2011) found that less than a third of UK businesses provide regular training aimed at preventing social engineering attacks, despite 42% being hit this way in the past two years, at an average cost of £15,000 per incident.
Often, security incidents arise because of a failure to comprehend the risk. Awareness and personal responsibility in protecting the organisation against information incidents is key. This awareness needs to permeate the entire organisation so everyone understands their relationship to information risk and their responsibilities.
Security awareness programmes and training should be an ongoing function – from induction to regular training and updates.
The following story illustrates how a simple lack of awareness of security risks by a children’s hospital resulted in a full scale data security breach, in addition to the payment of damages and jail for one unsuspecting man.
The story of the jealous boyfriend
An Ohio man sent an email to his girlfriend that contained spyware because he thought she might be cheating on him. The girlfriend opened the email on her work computer and the spyware installed on her work system rather than her home system. As a result her boyfriend began to receive copies of her emails, which included sensitive medical information. This constituted a data security breach on the part of the Children’s Hospital where his girlfriend worked.
Whilst the man was caught and jailed for up to 5 years in prison and was forced to pay $33,000 in damages to the hospital, the hospital could have done much more to eliminate this risk.
Lessons to be learned:
- Allowing access to home email from work IT systems increased the risks and additional protection was required.
- Anti-virus/anti-spyware software might have prevented or identified the spyware and alerted the systems administrators.
- ‘System hardening’ could have helped.
- The breach was likely caused by poor policies and procedures within the hospital and a lack of training for the staff. Make sure all staff are aware of what constitutes sensitive information and that such information has adequate levels of protection.
- Never send sensitive information across the internet or by email unencrypted.
- Don’t spy on your girlfriend!