Tuesday, 1 March 2016

Impact of human error in breaches

We tend to blame a system for security breach. Reality is that human error voluntary or involuntary is the number one cause of cyber security breaches. Here are some points to consider:

1. Social engineering: This is currently the biggest cause of leak in the system still. Phishing is an example of social engineering. In simple language any means by which a human can be coerced to divulge confidential information is social engineering. Abject lack of infosec awareness still plagues most organizations and individual. Honestly basis of cyber security is mere common sense.

2. Backdoors or zero day hacks: These are attacks that either take advantage of a poor piece of code or  ill configured devices. Again who configured or coded them in the first place?

3. Lack of stakeholder commitments: Small and medium scale businesses that are not heavily into IT tend to ignore the presence of cyber threat to their business as usual. These are most likely to fall prey to scam, spam and malware. They do not realize that it is not the IT infrastructure that faces threat, it  is the information that is vulnerable to attacks.

4. Security is a virtue not a product: Decades of research and effort to improve quality has been put in as people realized its importance in the industrial revolution era. In information revolution era people should understand that security has the same importance as quality.

5. To err is human: True that humans cannot be 100% all the time but a conscious effort can bring numbers close to that. Plus there are means and measures like continuity plan and disaster recovery for the rest of the percentage.

6. Information security is nerdy gobbledygook: May be so is theory of aerodynamics. Does it prevent anyone from flying? You have an information that you have to protect, all you need to know is how. Leave the rest to the researchers.

7. I have antivirus syndrome: Just get over it man! They are not enough. Like I said earlier it is your data that is vulnerable. There are 100 more ways in which you share your personal data willingly to unintended audience.

To add to this I am putting an interesting number here: "... potential annual cost to a company in the event of a successful phishing attack is around $3.7 million.." (Source). What is interesting is that most of the loss is due to loss of employee productivity, so there goes your quality!

No comments:

Post a Comment