Social Engineering: Talent Within A Business Is Biggest Problem

Social Engineering

Nothing is infallible – but when it comes to cyber security, it is people, not computers, that are often the weakest link. There are plenty of horror stories circulating the internet about identity thefts, nations waging cyber warfare against each other, malicious coercion at the hands of fake authority figures and even Nigerian funds waiting to be transferred to the lucky recipient’s bank account. All have a common theme; it’s not the technology that lets
us down, it’s ourselves.

A recent survey carried out by YouGov reveals that over a quarter of those surveyed admitted to transferring work files to and from home. And what’s more, half of those said they have had a virus at some point on their machines. It is clear that the blur between an employees work and home life may be starting to affect the security of important corporate data.

Viruses do not discriminate. Even those people who believed themselves technically competent have a similar rate of infection as people who weren’t techies. Organisations are losing control over their security as workers are taking files off the grid.

Nor is national security immune. Cyber warfare tactics like the notorious Stuxnet worm, which exploited the transfer of
files from machine to machine in order
to manipulate unconnected industrial machines in Iran’s nuclear power plants from across the globe, is a prime example.

However, it isn’t just blanket bombardment by bits of malware that is a threat.

Social engineering targets the company through the individual

‘Social engineering’ – the term given to scammers who use specific personal information in order to extract more sensitive or confidential material – is ever more prevalent. Some attacks are so well executed that even tech-savvy and senior people can be duped into giving away vital details.

I know of a CEO of a large business who liked expensive cars and made no secret of it. When a glossy brochure, addressed to his home, came through the letterbox with pictures of lovely looking new Jaguars in it, he did not hesitate to pick it up. Flicking through, he found inside an innocuous looking CD with concept cars pictured on the front, and his interest was piqued. After putting it into his computer he was still unaware that because he used the same password at home as he did at work, an enormous amount of damage would be done. And it was.

Security is a major problem for businesses and governments alike. Today, serious and organised cyber crime is
a far cry from a lone hacker sending
out anonymous malware from their bedroom. Nortel, the much maligned multinational communications firm, inadvertently leaked information for ten years before the extent of the breach was fully understood.

According to reports, documents including emails, technical papers, research, development reports and business plans were all hacked from Chinese IP addresses; malware was left on infected machines even after the company had been broken up and sold to others, meaning the threat was passed on.

But the world has moved on. Today the cost is enormous and growing. Cybercrime costs UK businesses an estimated £21bn a year.

Is your organisation safe?

Most companies do have an IT security policy and are concerned enough to implement it. Eighty six per cent of people who said that their organisation did have a policy, felt that they worked in a secure way. Yet the survey revealed that, despite the policy, people were almost as likely to share passwords with other people as those who had no security policy at all. That is to say, they trusted their employer to have a copy of the password.

As for those people in places that have no security policy, one in ten said that they had no password on any device at all. It seems simple, but what’s the point of having upper case, lower case, numbers and characters in the most secure line of code possible, when you’ve instructed Explorer to remember it for you? 15,648 laptops are lost by business travellers each week.

Beware malicious apps

It is not just desktops that are in need of protection. The malicious app is a growing phenomenon. Android operating systems have seen a number of apps that mirror
real ones – often with the suffix ‘super’ – intending to harvest data off the device. Website DigitalTrends found ‘Imangi’s Temple Run (the official game) only requests permission to access the device’s full network and to perform, read and write operations to storage. Temple Run Super, however, also asks for location information, phone status and identity, access to accounts on the device, and more.’

In the last year malware on Android was up by 580 per cent, and a staggering 23 of the top 500 apps on Google Play were deemed high risk. This might not be an immediate problem for business users, but the trend of BYOD (bring your own device) is a real headache for firms.

Information assurance

All IT security policies should make sure that only the right people have the right level of access. In a complex system, files should only be seen or edited by those that have the authority to do so. The risk is too high to allow everyone blanket access: One in 20 office workers have taken company information/data with them when they have left an organisation and joined a new one.

Minimising this risk should be high on the agenda. The UK government recommends 10 steps to cyber-security, backed by the Centre for the Protection of National Infrastructure (CPNI), the Cabinet Office and GCHQ. The advice is based around organisations implementing an information risk management regime, with other policies relating to security, protection, monitoring and education.

Either way, the message is clear. A fully rounded and complete approach must be taken to prevent damage being done. The talent within a business is the problem, and should be responsible for the security of the technology rather than relying on the IT to do it for them.

Bill Walker

Bill Walker is technical director at QA – the UK’s largest training company – with a core specialism in cyber security. He consults for private enterprise and Government organisations on the protection of critical IT infrastructure and information. In addition, Bill is also responsible for developing QA’s relationships with key technology vendors and partners including Microsoft, Oracle, VMWare and Citrix and for bespoke e-learning and innovation activities within QA. His client list includes British Gas, Network Rail, Centrica, HSBC, Virgin Atlantic and Microsoft. Prior to joining QA, Bill held a directorship at Xpertise and was a key member of Microsoft’s CPLS Advisory Council.