It Turns Out That Users Are Your Biggest Security Problem

Security is a big job, but it turns out that your users are your biggest issue!
Security is a big job, but it turns out that your users are your biggest issue!

Image Credit: David Goehring

As the person with the CIO job, it’s your job to understand the importance of information technology and keep the company’s networks secure. We invest a great deal time, effort, and cash into buying and configuring devices to accomplish this. We also pay for a great deal of training of our staff on what they should and should not do. However, it turns out that we still have a significant threat to our network: every person who uses it.

Why Are Users Such A Threat To Our Network?

It sure seems as though any time that we pick up a newspaper we can find yet another story about yet another company that has suffered a data breech involving personal data on millions of their customers. How does this keep happening? It turns out that there is a weak link in our line of protection of our corporate networks – the users.

What seems to happen is that employees of our company keep falling for phishing scams which allow the bad guys to walk in through the front door. In order to get someone to (1) open an email and (2) click on a link within that email the person who sent it has to get the person that they send the email to to trust them. The only way that they are going to trust an email is if the email contains information about them – as though the sender knows who they are, what they like, and what they do. It turns out that getting this type of information is easier than ever.

Most of us by now have a Facebook account. It turns out that a Facebook account contains a treasure trove of personal information. Your Facebook site contains information on who your contacts are and, perhaps, where you currently are. What the bad guys like to do is to send you a Facebook friend request. A user may pause for a moment before accepting it, but they’ll see that the requester is already friends with other people that they know and so they’ll eventually go ahead and accept the request. Once the bad guys are in, they now have access to a lot of information about you.

Using “social engineering” to gain access to a corporate network user’s social media accounts is a fairly simple task to accomplish. Another way to get more information about a user is to check and see if they have any Amazon wish lists online. With a minimal amount of effort, a hacker can construct a fairly intricate profile of a user. Once the bad guys have information on a user, that user is much more likely to trust them when they receive an email from them.

How Do The Bad Guys Accomplish Their Goals?

Phishing attacks are fairly broad attacks and have a low probability of succeeding. However, with the addition of detailed information about a targeted user, a hacker can engage in what is called “spear phishing”. This type of attack has a better chance of succeeding because it comes from someone that we know. A study that was performed by Verizon Enterprise Solutions revealed that they could get 23% of users to open an email and 11% clicked on the email’s attachment.

So what’s the person with the CIO job supposed to do in order to do a better job of protecting the company’s network? The obvious answer is to teach users that they must not trust anything that they find in their inbox at work. The bad news about this approach is that it generally does not work. Getting everyone to go along with a corporate security policy is just about impossible. Instead, a different approach is required.

What CIOs need to do is to make an assumption. What you need to assume is that your users will fail in their role of securing your network. This means that you need to lead then a helping hand. One way to accomplish this is to provide them with better email filtering in order to prevent the bad emails from getting to your users. Additionally, CIOs need to make an investment in software systems that can monitor internal network traffic in order to detect malware and eliminate it once it has been detected.

What All Of This Means For You

As CIOs we have the responsibility for keeping our company’s network secure. We do all of the right things, we purchase and install the devices that should keep us secure and yet we still can’t secure the weakest link – our users.

The bad guys are smart. They want to be able to send our users emails with attachments that they will click on. In order to do this, they will “friend” your users via social media networks. Once they have access to a user’s social media account they’ll know who their friends are and what their interests are. Using this information hackers can send “spear phishing” emails that have a much higher probability of getting opened and clicked on.

A network is of no value to anyone if you don’t have any users. However, that same network has to be kept safe if it’s going to be of any use to the company. Since you are the CIO, you are going to have to find ways to prevent the bad guys from getting in contact with your users!

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: How often do you think that you need to remind your users to not open or click on emails that they were not expecting?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

I’m not sure if you’ve been following this story in the news, but out in Silicon Valley all of those famous companies that you’ve been hearing about, Apple, Google, Facebook, etc. have just gotten done taking a look at their global workforces. What they wanted to discover is just exactly what kind of mix of people they’ve hired. The answer to this question was not good: all of these firms have effectively hired a great number of white and Asian men. What ever happened to diversity?