Security is a burning issue for anyone involved in networking today.
Not a day goes by without at least one vendor rolling out a new security product or service. And it’s easy to see why security’s such a hot issue.
The breach of CardSystems Solutions’ network in June, that resulted in a hacker accessing up to 40 million credit card numbers, was only the latest in a long list of public security snafus. The list of unannounced security breaches is almost certainly even longer.
Making sure an organization has the right tools in place to thwart any potential attack is clearly a critical first step in any complete security solution.
But a still often overlooked step in the security process is employee education. If employees don’t follow established guidelines, they could inadvertently compromise even the most stringent IT security measures.
A recent Deloitte survey found that only 46 per cent of global CIOs and CSOs at financial institutions surveyed listed internal security training and awareness as a top priority.
That’s somewhat understandable given that there are more external attacks on networks than there are internal breaches. And it’s the external attacks that get all the attention — not the internal ones that are easier to hush up.
But a lack of internal security training and awareness can make the job of outside hackers much simpler. If employees aren’t knowledgeable about spyware, viruses and trojans they could wind up giving hackers a back door into the corporate network.
Employees also have to know what sort of information they shouldn’t be giving out over the phone or weaving into personal or business-related blogs. If a hacker obtains enough personal information about an employee, it’s a much simpler task to get a new password or personal ID issued that the hacker can then use to exploit the network.
The importance of protecting against internal threats was illustrated in the Deloitte survey, with 35 per cent of respondents noting they’d experienced an internal attack in the last year, up from 14 per cent the year before. Internal attacks included phishing and ID pharming schemes used by external hackers to fool internal employees.
Similarly, organizations should ensure their customers, whether they be other companies, or just the general public, have some security savvy. There’s no point in building a complex data exchange system, or an online banking service, if it’s easy for hackers to deceive and exploit the people using them. Customers will lose faith in the service and stop using it, making all the fancy firewalls, authentication and intrusion detection technology supporting the project nothing but a big waste of money.
There’s no reason enterprises shouldn’t be investing a lot of time and money in protecting their corporate networks and business-critical information. But if at the same time they ignore the human factor and fail to educate their employees and customers, they might as well be throwing that money away.