An article published in Infosecurity Magazine in 2016 reported that as many as 22,000 USBs are left at dry cleaners every year. Even worse, some 973 mobile phones are also absentmindedly left behind in pockets and handed in, the study found. For the past several years, security has been the #1 topic of interest to our audience at our technology conference, for good reason. There is plenty of research to back up the theory that human error is easily the largest cause for data breaches. So are we shocked to hear that this many USBs and mobile phones are left at dry cleaners? The same article reported that devices were only returned to their rightful owners 45% of the time.
Kevin Mitnick, a notorious hacker of the 1980s and 1990s once said during an interview, “The lethal combination is when you exploit both people and technology. What I found personally to be true was that it’s easier to manipulate people rather than technology. Most of the time, organizations overlook that human element.”
So we all know that “to err is human,” and that certainly is not going to change. Ten years ago, paper records that were improperly discarded had much less impact on data security than digital data today. A lost cellphone a decade ago meant someone might make calls and use up the minutes on the account. Today, a misplaced smart phone could post a serious data breach. Massive digitization of information, mobile use, and system integration can potentially expose millions of people’s data to hackers and the harm they cause.
Napier University Professor William Buchanan lists the top three threats in computer security as “people, people and people.” He mentions leaving devices unattended, sharing passwords, or accidentally emailing information to the wrong people as typical security errors. He indicates that many of the breaches from cyber attacks are also traceable back to users unwittingly giving bad actors access to networks. Ten years ago phone scams were where the bad actors would get information and money from people, today they are much more sophisticated . . . and effective.
The easiest way to conduct a successful cyber-theft seems to be tricking people. This can be done via phishing schemes, spoofed websites asking for credentials, malicious apps with embedded malware, etc. Sharing personal information for whatever reason, gives hackers the foothold they need to exploit system vulnerabilities once they are “in.”
In October of 2015, Palo Alto Network reported that more than 40% of all email attachments were found to be malicious. They also found that the average time to weaponize a world event to be 6 hours. The implications of this are that immediately following an earthquake or other world event, your well-intentioned staff members might attempt to donate to a relief fund. By using their credentials to do this, they are potentially providing information that can lead to a data breach.
Symantec recommends the following best practices to prevent a data breach and reduce costs in the event of one:
Even with a great training program in place to educate your employees of attacks and to learn best practices, mistakes will still be made. The best you can do is to continue to educate and provide information about current attacks and how to handle them. Additionally, monitoring for security incidents and having plans (and the teams to implement them) in place for when a security breach occurs are critically important.
Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.
1020 New Holland Avenue, Lancaster, PA 17601