“100 percent security no longer exists in the digital world,” Christian Verstraete recently blogged. “Many companies have to recognize that they have not developed a proactive enough security strategy. They also have to recognize that they have not put the appropriate procedures in place to cope with a security breach when it happens. Instead, they are in reactive mode.”
In my previous post, I blogged about how although any proactive security strategy can only be as strong as its weakest link, the weakest link in your enterprise security could actually be the protocols enacted in the event of an apparent security breach.
“We are confronted with a world where employees bring their own devices and use them for both their private and their business lives,” Verstraete continued. “As our world is getting increasingly integrated, and as social media is used by enterprises to reach their customers and prospects, we need to train our people to ensure they are watchful for social engineering.”
The book Social Engineering: The Art of Human Hacking by Chris Hadnagy, the lead developer of Social-Engineer.org, defines social engineering as “the act of manipulating a person to take an action that may or may not be in their best interest.”
“While software companies are learning how to strengthen their programs,” Hadnagy explained, “hackers and malicious social engineers are turning to the weakest part of the infrastructure — the people. The motivation is all about return on investment. No self-respecting hacker is going to spend 100 hours to get the same results from a simple attack that takes one hour, or less.”
“Denial, ignorance, or the overwhelming nature of threats and vulnerabilities are all causes of a lack of focus,” Ken Larson recently blogged. “In this age of IT, the threats and vulnerabilities raised by mobility, social networking, cloud computing, and the sharing of IT resources between enterprises must be added to the traditional threats that we’ve focused on for years.”
As I have previously blogged, traditional approaches focus mainly on external security threats, which nowadays is like fortifying your physical barriers while ignoring the cloud floating over them and the mobile devices walking around them. The more open business environment enabled by cloud and mobile technologies is here to stay, and it requires a modern data security model.
“Proactively define your security strategy,” Verstraete concluded. “Decide what an acceptable risk level is. Choose and implement tools and procedures accordingly, and train, train, train your employees.” I definitely agree that employee training is essential to strengthening your enterprise security, and especially training your employees to understand the principles of social engineering.