This is the sixth and last in a series of columns on information security. Prior articles dealt with trade secret theft, ways to keep your data safe and with information security in light of the different types of technologies being deployed by companies. This article underscores the fact that despite all the technological advances with respect to information security, we are all human and often times represent the weakest link in securing data and other intellectual property.
When retained by clients to conduct assessments on their information security policies and procedures, I am usually steered to a review of their technology solutions, including hardware-and software-based security solutions. However, I always point out to clients that the human factor usually presents the greatest risk with respect to information security and the loss of intellectual property.
To underscore this fact, I just read an article about a test done earlier this year by the U.S. Department of Homeland Security (DHS) in which it wanted to see how hard it would be for someone to gain access to its computer systems. Apparently, at least according to the test results, it was not very difficult.
According to the article, DHS staff dropped USB thumb drives and other computer media in parking lots and in other places around government buildings and the buildings of private contractors. Of the employees and the contractors that picked up the “dropped” media, more than 60% plugged the USB devices (or loaded the CD) into their computers to see what was contained on the media. Further, if the CD or USB device had a logo or some other identifying information on it, more than 90% of those that picked them up put them into their computers. It goes without saying that these are astounding statistics.
Despite all the technological solutions that a company might deploy to prevent unauthorized access to their computers and networks, this very basic study shows that humans will be human and will apparently disregard basic security precautions if given the opportunity to do so. I would presume that if queried, most of the people that plugged (or otherwise put) the media into their computers would state that they knew of the risks in doing so, but did so anyway out of curiosity.
In addition to malware contained on media such as computer disks and thumb drives, it is worth noting that malware is often contained in attachments to e-mails. A review of many of the more serious recent data breaches show that employees obviously are not reluctant to open such attachments despite knowing that they may contain malware.
By way of example, the recent breach of the RSA Secure ID Platform was apparently brought about by e-mails that had contaminated spreadsheets attached to them. The spreadsheets contained an imbedded Adobe System’s flash file that allowed hackers to infiltrate the employees’ computers. The result was a breach of the RSA Secure ID Platform, which is used by many companies for data security.
In light of the increasingly sophisticated attacks with respect to data networks, and given the propensity of employees to fall for unsophisticated methods of attack, companies must be increasingly vigilant in their efforts to prevent and to mitigate such attacks.
Employee Training Should Not Be Overlooked
In addition to all of the technological solutions that companies employ such as firewalls and virus protection schemes, companies should not forget that ongoing and recurring employee training must be a vital component in their information security programs. All new employees must be trained in information security and must understand what they should and should not do with respect to their computers and the company’s networks. I note that many companies provide this type of training.
However, one of the failings of many companies is that this training is not ongoing. A good practice would be for this type of training to be refreshed for all employees at least twice a year. This type of refresher would serve two purposes. First, it would reinforce what the employee has already been told with respect to information security and hopefully help the employee to remember the “dos” and “don’ts” of information security. Secondly, it would allow the company to present new vulnerabilities to the employees on a more timely basis than an annual refresher. For employees who are in the IT space or who are heavy users of mobile technology, quarterly refreshers might be in order.
Additionally, in light of the rise in both employees’ and companies’ use of social media such as Twitter, Facebook, LinkedIn and other mobile applications, legal counsel and companies must regularly review their information security policies and procedures and adjust them accordingly. Part of this adjustment must include making certain that all employees are adequately trained with respect to the company’s policies and procedures, and are aware of the ongoing and ever increasing risks facing companies with respect to the protection of the company’s information assets and intellectual property. As we have seen, failure to do so could be catastrophic.