Cyber Security Risks
Administrative Breakdown, Malware or Human Mistakes
By Glenn Smail - Partner Omni Paratus Security Services
It was recently reported that approximately 95% of all security breaches were human error. Of that total, approximately 60% were the result of innocent mistakes While this was a simplistic way to identify the major security problems facing companies today, the facts are clear; a company that does not have an Enterprise Security Solution in place will ultimately suffer the demise of cyber hacking and network compromise both from internal and external sources.
Companies can put all the cyber security measures and policies in place that are available today, however, a simple failure of an employee to follow policy and procedures or a breach of security measures is enough to throw a major corporation offline for days.
Some examples we encountered of human error that ended in a company data breach are as follows:
- A company network administrator brought his son into the office on a weekend and manually bypassed the security software so that his son could play X-Box while he worked. Hackers breached the server through the X-Box and completely compromised the financial institution.
- An employee brought his son's report to work to print out on a SD Card that contained a virus. Once the card was inserted into the network the security warnings were ignored and the system was compromised.
- Employee access codes and passwords were discarded into the trash without being properly shredded. Those codes were used to access the company network.
- Phishing e-mails with coupons or other tempting attachments were sent to employees that ended up having malicious attachments that when opened ended up compromising the company network.
- We walked into a client's business with a wheeled cart and loaded the cart with company computer equipment and software. When approached we simply stated that we were there to perform some computer diagnostics and upgrade the network. We walked out of the building with a whole cart of sensitive data and physical equipment with no further questions asked.
- We removed sensitive data off hard drives that were discarded into company dumpsters.
This is why OPSS preaches an all encompassing or "Enterprise Solution" to corporate security problems. Any major corporation should have periodic exterior security assessments performed on a regular basis that encompass all aspects of potential security breaches. The assessments help to identify potential physical, administrative, policy and internet breaches within a given organization.
Companies are constantly changing locations, employees, computer hardware and software etc. Therefore, an internal security program needs to be implemented and updated regularly so that everyone across the entire company understands the same basic security measures necessary to maintain a healthy company network.
Some human resource security policies to be considered for implementation are as follows:
No sharing of User ID's and Passwords with anyone inside or outside of the company.
Protect your password from onlookers when entering it into your computer station.
- Any person observed on company grounds in secure areas who is not recognized should be questioned and if necessary referred to corporate security.
- ALL company documents containing sensitive data should be shredded.
- Temporary employees should be separated from working on the main server to local access only computer systems to avoid data breaches by corporate espionage and persons not well versed in company policies. Access badges should be issued to all employees that identify temporary workers and the specific department in which an employee is assigned.
- Employees should be limited and monitored for internet access to social media sites and other sites where malicious malware exists.
- All physical equipment used in the field (i.e.: Laptops, smartphones, tablets, etc.) should be kept secured and the data encrypted and the devices should be password protected.
- Monthly security meeting should be held to review company security polices and discuss recent issues encountered by employees and ensure that these issues are being addressed by management.
The effects of employees placed in positions of authority who have been assigned higher levels of access to sensitive data, such as system administrators can be the most damaging to a network. Often these administrators will bypass all company policies and security protocols which completely compromises the company network.
Some examples of Administrative Level Network violations we've encountered are as follows:
- The system configurations are altered or replaced in an incorrect manner
- Failure to properly address ongoing complaints of network security violations and potential penetrations.
- Failure to enforce or implement a 45 day password change with a higher level of password encryption. In some cases the network administrator never changed their own password.
- Default User ID and Passwords posted near the Main Frame.
- The IT department's poor management of software patching.
- No regularly updated advisories of new cyber threats or physical security breaches. No security policy or security software updates implemented over an extended period of time.
- Failure of Administrators to monitor social media access and sites containing potential malware.
So how does a company solve these security issues?
The only solution to these security problems is to implement a balanced system of physical and technical security measures with updated periodic training procedures. Security audits of the IT Department and employees with internet access must occur on a regular basis as well. Set up a toll free anonymous tip line for employees to report security breaches or other potential security problems. In any area of expertise, "knowledge is power". The more you make employees aware of potential security threats the better the company will be at protecting its network.
Omni Paratus Security Services provides worldwide cyber security implementation and threat detection combined with physical security assessment and implementation.
Visit us at: OPSSLLC.com