We all know that information security relays on a layered approach. It´s about people, process/programs and technology.
And we all know about Advanced Persistent Threats. How they work, attack vectors, etc.
And even so, more and more companies are attacked by each day. I just want to highlight two incidents that are critical on my opinion and will act as the basis of my argumentation.
One of the incidents happened to Coca-Cola.
They were attacked by hackers on 2009 and the effect of this was the collapse of one giant company acquisition that Coca-Cola was negotiating in China.
What is certain about this case, is the fact that Coca-Cola was deeply penetrated and it started with a email opened by one High Level Executive of the company.
For more information about the case, please click here
The other case is related to RAF (Royal Air Force)
On a PR effort, photos of Prince William on duty were taken and distributed among websites and newspaper. What no one noticed in the beginning was that some photos actually have usernames and passwords of systems visible!
For more information about the case, please click here
Question:
What we have in common in those two cases?
First – Two big institutions that take information security seriously (one of them is a military one)
Second – Both incidents happened with High Level personal (one of them is one of the most monitored person in the world).
Third – Both persons involved on the cases above were aware of the risk of exposing information.They were trained, for sure. They are smart people.
They should have acted better. Be more vigilant.
Then, what´s the issue here?
As companies like Coca-Cola, RAF and many others invest on security awareness training, risk analysis and mitigation, incident response process and several technologies like Data Loss Prevention, Session Flow Analysis, Sandboxes, Anti-APT, Next Gen Firewalls and many others to reduce the likelihood of a sensitive information to be stolen and we still have many companies being hacked, what do they need to do to reduce the risk of weakest link on the chain? The human factor.
It´s not just about lack of training because I personally see many security teams working hard to spread the word among users. To make they understand the risk.
Even so, we still see valuable data being exposed on the web.
So, what´s wrong?
People don´t take responsibility on what they do.
Everybody knows that they should not open emails from “unfamiliar sources” and with “strange and generic titles”. But they do.
Everybody knows that they can´t upload internal/confidential information to the web. But they do.
Everybody knows that anti-virus/anti-malware/personal firewalls and data loss prevention agents has a purpose. But users with administrative access will disable it to run memory eating apps.
It´s time to make the user accountable for the risk he imposes to companies by being reckless about information security.
I´m not saying how to do it because every company has it´s own ways, every country has its oen laws, but for sure they should start thinking about it.
As I see it, it´s the only way to strength the human factor of information security risk.
Regards
jstashbazarch jstash-bazarbz