Information security relies on three main pillars: People, Process, and Technology. As the landscape of threats, particularly in the cyber realm, continues to evolve, we often turn to technological solutions such as firewalls, encryption, antivirus software, and intrusion detection systems to combat these threats. However, it is crucial not to overlook the other two components of the triad: people and processes. It is widely acknowledged that humans are the weakest link in information security, given our fallibility. Nonetheless, we can strive to limit opportunities for compromising security.
Now let's examine the risks posed by insiders to an organization's information security during an ISO 27001 audit. Can you identify with any of the following scenarios?
A newly hired staff member who is unfamiliar with company policies.
A long-serving finance team member who has not received security training since joining and lacks awareness of the latest cyber threats, mistakenly perceiving "phishing" as a new fishing technique.
A disgruntled employee, whether current or former, seeking retribution.
A stressed executive under pressure, taking shortcuts or failing to verify email recipients before sending sensitive information.
An IT administrator becoming complacent or facing pressure to expedite tasks.
Each of these scenarios has the potential to result in a security breach. While human fallibility plays a role, it can be argued that organizations bear the greatest responsibility for not implementing adequate controls and processes to minimize breaches (though not eliminate them entirely). This is where training becomes crucial.
The purpose of this blog is to emphasize the importance of effective and continuous security awareness training. Its goal is to alert, educate, and empower your staff to safeguard the valuable data they handle on a daily basis. Additionally, we will delve into recent and common information security breaches and threats, focusing on three prevalent "insider" security threats.
Administrator error
Even the most vigilant IT administrators can fall victim to compromises. Among the various forms of social engineering attacks, such as phishing and spear phishing, these attacks are widely regarded as common and effective methods for circumventing security measures.
Regular reminders to employees about their information security obligations serve as a proven means of reinforcing important lessons. These reminders could include rules concerning password sharing or writing them down.
While administrators can implement numerous security controls to enhance protection, such as multi-factor authentication, strong and regularly rotated passwords, and account monitoring, human intervention remains a potential vulnerability. Whether due to a lack of awareness or malicious actions by external parties through targeted phishing attacks, these controls can still be bypassed. Both scenarios highlight the importance of minimizing risks through the implementation and utilization of an effective information security awareness training program.
User error
A considerable number of information security breaches occur due to human error. It is likely that incidents involving emails sent to incorrect recipients happen on a daily basis within most organizations. GDPR regulations, which govern the protection of personally identifiable information (PII), suggest the use of the blind carbon copy (BCC) address box in emails sent to multiple users, unless there is a legitimate business need for certain recipients to collaborate.
Regardless of industry or sector, all organizations handle personal information such as names, addresses, national insurance numbers, and medical data as part of their role as employers. While the responsibility to safeguard this information lies with the organization, it ultimately depends on the diligence of individuals to handle personal data with the same care they would apply to their own information. Considering the potential breach of privacy, individuals should ask themselves how they would feel if their own privacy was compromised.
Accidental breaches have become more common in recent years, with the proliferation of alternative methods for data communication. People often attribute mistakes to their smartphones, such as unintentionally making calls while the device is in their pocket, or responding to emails while commuting. Instant messaging poses another significant risk, as it frequently operates outside the security parameters established by organizations. Users need to understand that sharing an organization's information should only be done through approved communication methods, a key message emphasized in most security awareness training courses.
The COVID-19 pandemic has led to a widespread adoption of video and teleconferencing, which introduces its own set of challenges. Oversharing of conversations due to non-muted microphones or leaving cameras on when it is not appropriate are common pitfalls that organizations face.
Improper storage or disposal of information, whether in physical or electronic form, represents another significant source of security breaches. Organizations must establish clear processes supported by comprehensive awareness training to mitigate this risk.
Scams and fraud
The prevalence of employees, across all levels, falling victim to deceptive tactics and willingly sharing their information is increasing and shows no signs of decline. Although scams are becoming more sophisticated, there are still evident indicators that users can watch out for. An effective security awareness program, along with ISO 27001 certification, can significantly enhance the vigilance of staff. As the old saying goes, if something appears too good to be true, it probably is.
Scammers ultimately exploit users' sympathy, curiosity, fear, and greed. While many of these scams have been circulating for years, the sophistication of such attacks is growing. For instance, a common scam involves receiving a notification about inheriting a substantial sum of money from a wealthy relative in a distant country. The only requirement is to provide your account number and sort code to claim the inheritance.
Another example is a Facebook link enticing individuals to find out who is viewing their profile. Such activities specifically target human curiosity. The multitude of social media platforms offers diverse opportunities for hackers and scammers to operate.
A recent example of a scam targeting sympathy and compassion emerged on the platform 'GoFundMe,' which facilitates online donations for individuals and charities. While this well-intentioned initiative undergoes some due diligence, it can still be exploited by scammers. It is advisable to verify the validity of any invitation to contribute, as your well-intentioned gesture could unknowingly benefit scammers.
Fear is often exploited as well. Scammers may contact individuals with convincing details about their passwords and email accounts, claiming to have hacked their webcams and possessing compromising footage of their activities. They threaten to distribute this material to the individual's contacts unless a sum of money is paid.
Lastly, the rapid growth of cryptocurrency presents another opportunity for scammers to exploit individuals and swindle their hard-earned money. Tempting offers of "amazing" investment opportunities or promises of significant financial returns can prove irresistible.
By conducting regular information security awareness and training, as well as periodically highlighting the latest scams and frauds, organizations with ISO 27001 certification can alert their staff to the techniques used by scammers. This not only enhances the overall security of the organization but also benefits individual staff members in their daily lives.