Data Security: A People Problem

Data Security: A People Problem

If securing your data were as simple as throwing a padlock onto your network cables, we'd all sleep much better at night. Unfortunately, you'll probably need to padlock your employees, too. Phishing Scams, or what used to be called social engineering, is a people problem.

There are some things that only people can fix. There are many security risks to which your data is susceptible, but there is one method that remains a wonderfully effective hacking tool. That is the phishing scam. This is typically a legitimate looking email, often from an almost legitimate looking sender, that asks the reader to click on a link. We've all heard of the scam where you get a message from a relative that's "trapped overseas without a phone" asking you to send him/her money to get home. The modern day business phishing scam is not dissimilar. If clicked, the link can infect the user’s computer with malicious software that can steal passwords, logins, and other critical data. Alternatively, the email appears to be from a legitimate source, perhaps even duplicating a legitimate webpage. The distinction is that the phishing email asks the user to enter personal information, including passwords. In either case, once you click on the link, or enter some information, you've been compromised. 

Recently, we've seen an uptick in spear-phishing campaigns. Spear-phishing is where a malicious actor gathers more information and targets higher level employees, typically C-level and their assistants, with targeted messages, sometimes to their personal and company devices. This could be in the form of a fake password recovery email, or even a message from IT stating that they need the exec to click on a link and approve some purchase. 

So how do you protect against phishing, and spear-phishing? Education and training, with a healthy dose of skepticism. Your staff need to be constantly wary of all the emails they receive. One way some firms are educating their people is by sending out their own "fake" phishing scams. Employees who click on the link inside are greeted with a notice that they've fallen for a phishing scam and then are offered tips how not to be fooled in the future. Think of it as the hi­-tech version of Punk'd. 

If you read our post from last week, we discussed penetration testing; the act of a trusted adviser or firm intentionally trying to breach a system or network. Often, penetration testers will also run fake phishing/spear-phishing campaigns to test employee awareness. 

You may not be ready to go that far, but it is important to provide ongoing training to all of your staff about phishing scams. 

Many network security appliances have a feature (sometimes paid, sometimes free) called DLP or Data Loss Prevention. If your business regularly deals with certain sensitive pieces of information, for example a certain 9 digit number in the format xxx-xx-xxxx, DLP can prevent information matching that format from leaving your network. So if an employee tries to submit a webform that requires a 9 digit number like that, or sends an email with a 16 digit number in the format xxxx xxxx xxxx xxxx and an accompanying xx/xx, that traffic is prevented from leaving your network. 

Maybe it's files and folders you're more concerned with leaving the building; in this case, it's important to have good AD security groups, GPOs, and BYOD policies in place to prevent unauthorized access to files, and to prevent external media from being mounted to copy data. Don't worry if this doesn't make immediate sense, that's where your IT guy, or an IT firm like ROI Technology Inc. come into play. 

If you'd like to see what kind of holes exist in your network security, or want some help plugging holes you know exist, fill out the form below to request a free assessment. 

Like & follow ROI Technology Inc. on social media for contests, free e-guides, and more!