Humanisec: Securing The Human Network
We have met the enemy and he is us.
Employees are often the weakest link in the security chain.
Introducing Humanisec: Our Story Distilled
Real Data Security Challenge
Data Security Training Solutions For Employees
Your Data Security Training ROI
  The True Nature of the Data Security Challenge: Decoded

“People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.”

—Bruce Schneier

Security Expert and Author

While most managers and employees think that data security is someone else’s job, in fact, it is up to everyone in the organization to protect sensitive information. Consider the following…

What if…
One of your employees steps out to take a smoke break. While there, he sees an abandoned folder with your corporate logo on it. Curious, he opens it up to see if he can determine to whom it might belong. Shockingly, what he finds is a disk clearly labeled, “Layoff List.” Is it more likely that he will immediately turn this disk over to your IT department for investigation, or that he’ll rush to his office to load it on his machine, frantically looking for his own name?

What if…
A well written (yet entirely fraudulent) email with your precise corporate look and feel is sent to your employees, which includes instructions from Human Resources to “click here” to sign into the “New Benefits Portal?” Regardless of how genuine it looks, how many employees would call Human Resources first to verify the instructions, and how many would simply click through without so much as a second thought, willingly divulging their own network ID and Password along the way?

What if…
One of your employees is returning from lunch, and is about to swipe into the building when he encounters another “employee” struggling with an armful of boxes at the door; his realistic, but entirely counterfeit badge hanging prominently from his pocket. Would your employee be more likely to assist him with the boxes, allowing him to use his own card to enter, or simply swipe theirs, and then, ahem, hold the door open for them with a smile?

Only employees that are properly trained and aware will do the right thing, and thereby keep your data safe in the process. Sophisticated attackers are now taking full advantage of this prevailing attitude that “security is someone else’s problem” and are beginning to aggressively target rank and file employees and middle managers to gain access to sensitive information for both profit and harm. The security industry refers to this type of attack as “Social Engineering,” whereby the bad guys prey on the trust or naiveté of employees to gain access to sensitive internal information.

And this style of attack is no longer theoretical in the least. Recent high-profile headlines of data loss achieved via social engineering tactics are becoming plentiful, and even now include the venerable security company, RSA, who recently lost significant intellectual property when someone inside their organization was lured into clicking on a link in a sophisticated spear phishing scam. This loss of proprietary data ultimately led to break-ins at several U.S. defense contractors who, themselves, relied on the stolen RSA technology to safeguard their own systems.

Another recent headline is the Stuxnet case, where an employee plugged in an infected thumb drive in a closed, private network, which ultimately led to the actual destruction of physical infrastructure. And in yet another example, the FBI recently reported that, in just one scam where the bad guys targeted LinkedIn users, over $100 million was drained from U.S. bank accounts simply by manipulating the trust of its users.

In fact, some studies now place rank and file employees in the middle of almost a third of all data breaches. For example, the popular, bank-account-draining malware known as “Zeus” always requires some hapless employee to install the software first —before the attack can take place. Delivering this programmatic payload is the tricky part, and social engineering ploys are now the most common and dependable means of transport.

These attacks can range from something as simple as planting a thumb drive or other removable media to be found, to highly sophisticated phishing attacks such as the one that was used to penetrate RSA. There are, in fact, a myriad of ways social engineering tactics can now be employed, and with the rise and immense popularity of social media networks, well… The problem has become exponentially worse, as the bad guys now have a virtual treasure trove of new information about your employees to harvest and exploit for this very purpose.

So, short of installing turnstiles protected by armed guards, you may ask, is there any amount of security spend that will stop an employee from holding the door open, and willingly inviting the danger in? Sadly, the short answer is no. Neither, as well, will it stop a “zero day” exploit (a previously unknown programming threat) that is contained in an email or web link, unwittingly engaged; nor will it stop corporate information from being posted on personal social media websites; nor dozens of other potential new threats from future technologies as yet unknown.

Indeed, all of these issues and many more can only be resolved in one way: They all require the creation of an employee base who not only understands their vital role in maintaining data security, and the new risks of this increasingly digital world, but who are also savvy enough to recognize and thwart current and future social engineering attacks.

This is the real challenge that lies ahead, and this is where our solutions begin.

“The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education.”

—Kevin Mitnick
Computer Security Consultant, Author
and Former "Most-Wanted" U.S. Hacker