Broadly speaking, information security is held up by three pillars – People, Process and Technology. As threats to our information security (and particularly cyber-related threats) continue to emerge and evolve, we constantly look to technological solutions to help combat these threats, e.g., firewalls, encryption, antivirus, intrusion detection systems, etc. However, it is important not to overlook the other 2 components of the triad: people and processes. It is widely accepted that humans are the weakest link in information security and there can be no disputing our fallibility. However, what we can do is attempt to limit the capacity to compromise security.
Let’s look at the threats that insiders bring to our organisation’s information security. How many of these scenarios can you relate to?
- The new staff member who is not aware of company policies
- The Finance team member who has been with the business for 20 years but hasn’t undertaken any security training since arrival, isn’t aware of the latest cyber threats and thinks phishing is a new form of angling
- The disgruntled employee (could be past or present) who is seeking some form of retribution
- The stressed and under pressure executive who is looking to shortcut procedures or doesn’t check the recipients of an email before pressing the send button
- The IT administrator getting a little complacent or being pressured to get a task done quickly.
Each one of the above scenarios could lead to a breach of security and, whilst human fallibility plays a part, it can be argued that the biggest failing is on the part of the organisation not having implemented the appropriate controls and processes to help minimise (yes minimise, not eliminate!) breaches occurring. And this is where training comes in.
In this blog, our aim is to promote the need for effective and ongoing security awareness training; to alert, educate and empower your staff to protect the precious data that they are processing on a day-to-day basis. We will also explore some recent and common information security breaches and threats.
Let’s look at 3 common ‘insider’ security threats.
A compromise can happen to the best of us, even the most vigilant of IT administrators. Social engineering attacks, in their many guises (phishing/spear phishing, etc.), are seen as one of the most common and effective ways of bypassing security controls.
Regular reminders to employees of their obligations regarding information security is a proven mechanism for reaffirming lessons. Users would be reminded (for example) of rules relating to password sharing or writing them down.
There are plenty of security controls your administrators can implement to provide additional protection, such as multi-factor authentication, password strength, and rotation, account monitoring etc. Fundamentally, however, human intervention may still allow these controls to be bypassed, whether accidentally through lack of awareness or maliciously by an external third party such as a targeted phishing attack. Both of these scenarios are examples of where risk can be minimised through the implementation and use of an effective information security awareness training programme.
A significant number of information security breaches are caused by human error. Breaches associated with an email being sent to the incorrect recipient is likely to be a daily occurrence in most organisations. GDPR governance relating to personally identifiable information (PII) lends itself to the use of the blind carbon copy (BCC) address box on emails distributed to a number of users, unless there is a legitimate (and business) need for some of the recipients to collaborate.
All organisations, regardless of their industry or sector, process personal information such as names, addresses, national insurance numbers, medical information etc. in their role as employers. The responsibility to protect this information lies with the organisation but is dependent on the diligence of individuals to treat personal information as they would if it were their own, e.g., how would they feel if their privacy was breached?
Accidental breaches have increased in recent years with the rise of alternative methods to communicate data. How many times have you heard people blaming their smartphones (‘my device accidentally called you when it was in my pocket’) and responding to an email when commuting? Instant messaging represents another big risk. This form of communication can often sit outside of the security parameters set by an organisation. Users need to be made aware that an organisation’s information is only to be shared using approved communication methods – a staple message in most security awareness training courses.
The COVID pandemic has introduced a far greater adoption of video / teleconferencing, which has brought its own pitfalls – such as non-muted microphones leading to oversharing of conversations or cameras being on when perhaps they shouldn’t..
Incorrect storage or disposal of information, be it physical or electronic, is another significant source of security breaches and organisations need to ensure they have clear processes in place, backed up by comprehensive awareness training.
Scams and fraud
The possibility of employees, at all levels, being tricked into giving up their information is on the rise and shows no signs of slowing down.
Whilst scams may be getting more sophisticated, there are still a number of tell-tale signs that users can look for. An effective security awareness programme can greatly help improve the vigilance of staff. Like the old mantra says, if something looks too good to be true, it probably is.
Ultimately, scammers will attempt to prey on users’ sympathy, curiosity, fear and greed and, whilst many have been around for several years now, the sophistication of these types of attacks is growing.
Examples include the all-too-common notification that a wealthy relative in a faraway country has recently passed away, and that you have inherited a significant sum of money, all that is required is for you to enter your account number and sort code to obtain it.
The Facebook link that invites an individual to see ‘who is looking at their profile.’ This type of activity is specifically constructed to prey upon natural human curiosities.
The multiple social media platforms provide a diverse array of opportunities for hackers and scammers.
A notable example of a scam that targets individuals’ sympathy and compassion was recently revealed using ‘GoFundMe’, an organisation that facilitates online donations to allow individuals and charities raise funds for worthy causes. This well-meaning initiative can also be exploited by scammers. It is always worth checking the validity of any invitation to contribute. Clearly the site administrators conduct an amount of due diligence, but your well-intentioned gesture could easily be lining the pockets of scammers.
Fear can often be exploited; an individual may contact you with convincing details of your password and email accounts, amid claims that they have hacked your webcam and have compromising footage about your activities. If you do not pay an amount to the scammer, the threat is that they will distribute this material to your contacts list.
Finally, the meteoric rise in viability of cryptocurrency (in all its forms) provides yet another opportunity for scammers to relieve you of your hard-earned cash. ‘Amazing’ investment opportunities, or the promise of significant financial return on an investment will often prove to be too tempting.
Through the conduct of regular information security awareness and training and the ad hoc highlighting of the latest scams and frauds, your staff can be alerted to the techniques in use, enhancing your organisation’s security as a whole, but also benefitting individual staff in their daily lives.
Our aim is to promote the need for effective and ongoing security awareness training
Having been involved in over 350 successful ISO 27001 certifications, URM is ideally placed to advise you on the essential activities and tasks you will need to carry out in order to maintain and improve your ISO 27001 auditing function and programme
URM can help you get ISO 27001 certification
URM can help you with ISO 27001 audit
The purpose of ISO 27002 is to provide organisations with guidance on selecting, implementing and managing information security controls.
Annex A of ISO 27001 comprises 114 controls which are grouped into the following 14 control categories.
In this blog, we are going to look at governance. We are regularly asked, ‘is information governance the same as IT governance?’