We all know that information security relays on a layered approach. It´s about people, process/programs and technology.
And we all know about Advanced Persistent Threats. How they work, attack vectors, etc.
And even so, more and more companies are attacked by each day. I just want to highlight two incidents that are critical on my opinion and will act as the basis of my argumentation.
One of the incidents happened to Coca-Cola.
They were attacked by hackers on 2009 and the effect of this was the collapse of one giant company acquisition that Coca-Cola was negotiating in China.
What is certain about this case, is the fact that Coca-Cola was deeply penetrated and it started with a email opened by one High Level Executive of the company.
For more information about the case, please click here
The other case is related to RAF (Royal Air Force)
On a PR effort, photos of Prince William on duty were taken and distributed among websites and newspaper. What no one noticed in the beginning was that some photos actually have usernames and passwords of systems visible!
For more information about the case, please click here
Question:
What we have in common in those two cases?
First - Two big institutions that take information security seriously (one of them is a military one)
Second - Both incidents happened with High Level personal (one of them is one of the most monitored person in the world).
Third - Both persons involved on the cases above were aware of the risk of exposing information.They were trained, for sure. They are smart people.
They should have acted better. Be more vigilant.
Then, what´s the issue here?
As companies like Coca-Cola, RAF and many others invest on security awareness training, risk analysis and mitigation, incident response process and several technologies like Data Loss Prevention, Session Flow Analysis, Sandboxes, Anti-APT, Next Gen Firewalls and many others to reduce the likelihood of a sensitive information to be stolen and we still have many companies being hacked, what do they need to do to reduce the risk of weakest link on the chain? The human factor.
It´s not just about lack of training because I personally see many security teams working hard to spread the word among users. To make they understand the risk.
Even so, we still see valuable data being exposed on the web.
So, what´s wrong?
People don´t take responsibility on what they do.
Everybody knows that they should not open emails from "unfamiliar sources" and with "strange and generic titles". But they do.
Everybody knows that they can´t upload internal/confidential information to the web. But they do.
Everybody knows that anti-virus/anti-malware/personal firewalls and data loss prevention agents has a purpose. But users with administrative access will disable it to run memory eating apps.
It´s time to make the user accountable for the risk he imposes to companies by being reckless about information security.
I´m not saying how to do it because every company has it´s own ways, every country has its oen laws, but for sure they should start thinking about it.
As I see it, it´s the only way to strength the human factor of information security risk.
Regards
Great point.
I do believe you are right but still ... how do we make the user accountable ?
Maybe regulations and laws can help (and should help) but we are speaking about changing the user "culture".
Posted by: David Broda | 01 December 2012 at 12:28 PM
Hi David,
You´re right. Change the user culture isn´t a easy task. Far from it...
But I believe that this cultural change must come, and for some people it´ll come naturally through specific awareness training. For others it´ll come by need.
Knowing that they´re accountable for their actions will make them more responsible too.
Posted by: Alexandre Cezar | 02 December 2012 at 09:05 AM
It is not just the lack of training, because I saw many of the security team effort between users by word of mouth. In order for them to understand the risks.
Posted by: John Deere | 20 January 2013 at 09:06 PM