IT security: taking the C-level to task
, February 3, 2014
By Anthony Perridge, EMEA channel director at Sour
Many chief security officers (CSOs) are often faced with the difficult task of having to explain to their chief executive officer or other senior official how their corporate network has been hacked and what damage has been caused.
But the task becomes much harder when conversation when the CSO has to explain it was the actions and behaviour of the executive himself or herself that led to the security breach and the risk to corporate reputation and data.
KRC Research recently carried out some interesting research which questioned information workers in the US about their information security attitudes and practices and found that those who have the highest access to valuable company information are the very people more likely to engage in risky behaviours.
The research found an incredible 87 per cent of senior managers admitted to uploading work files to their personal e-mail and cloud accounts. Of these, 37 per cent said it is because they prefer to use their personal computer, and 14 per cent said it is too much work to bring their work laptop home. Not only that but 58 per cent of senior managers admitted to having previously accidently emailed sensitive information to the wrong person, compared to 25 per cent of workers overall. About 51 per cent of senior managers admitted to taking files with them after leaving a job, again compared to 25 per cent of office workers in general.
The trouble is that the C-level in any organisation has privileges others simply do not have. Coupled with that, the typical profile of a ‘Level 8’ executive is that they are high up in the food chain of the organisation and therefore a more prestigious target; they are often not IT savvy; they tend to be extroverts and outgoing; they have more access rights than they actually need and all too frequently they try to avoid security measures by order.
Increasingly the cybercrime gangs who target organisations recognise that the direct route into a company is not always the best route and they look at just these sorts of high prestige and low awareness individuals to find a stealthy way into the network. After all, they are looking to be there for the long-term and so stealth and concealment are essential.
Targeted emails are one way these cybercrime gangs target the C Level. Simple research on social media or Google throws up many useful details about what makes the CEO or CIO tick as a person and from there it is not hard to target them with enticing emails purporting to be from someone they know.
So what can we do about this?
As users of the internet, we have our part to play by regularly updating passwords, limiting the amount of information we share on social networking sites, not opening emails or attachments from people we don’t know and so on.
However, companies today increasingly have to accept the reality that they are operating in a world of not if they’ll be targeted, but when. And as soon as we recognise that and change our mentality from assuming we are safe, to assuming we will be compromised, the sooner we can put in place measures to deal with the issues caused when the inevitable happens to limit the risk and ensure the businesses impact is limited.
The truth is that where IT security is concerned there is no silver bullet and as hackers become ever more cunning, it is a major challenge for organisations to stay one step ahead. Increasingly, it’s the way companies deal with hacking incidents when they happen that really matters. Having smart plans in place to detect, prevent and if necessary remediate quickly can mean the difference between a minor technology hiccup and a full system meltdown.
In the meantime, good luck with that meeting with your boss tomorrow to try to explain why he should not have switched off his firewall to visit a Russian file sharing site on his corporate laptop!