One of the best speakers that I’ve heard recently in the area of cybersecurity had an advanced degree in the social sciences rather than technology. Not surprisingly, security experts are increasingly seeing the threat of social engineering in exploiting the human factor of security. Securing your systems and the sensitive data they contain (whether it’s financial data, personally identifiable information (PII) or otherwise), requires training and buy-in from your entire organization. Data security goes far beyond your IT department and the safeguards they can put in place.
If you have all the doors bolted and the windows locked in your house, but someone gives the criminal the keys, have all those security measures really done you any good? Your network might be configured with a proxy server that prevents users from accidentally accessing malicious websites. Maybe someone in your finance department then gets an email along the lines of “I’ve provided a secure invoice for payment. Click the link below to access that secure invoice. Your login for any major email provider will grant you the needed access.” Obviously, this is a phishing email with a link that directs them to a website intent on stealing their login credentials. Your proxy server is going to prevent them from accessing that website though, so you’re perfectly protected, right? But, wait a minute, suppose they’re working from home that day and accessing their email. When they click on that link, there’s no proxy server at home or security policies on their computer to block the access. They go ahead and enter their credentials, giving someone the digitals keys for at least one of your doors.
Even if there are best-practice security standards in place and you’ve invested in robust security software, ensuring users are abiding by those standards is critical. Are users sharing login credentials to certain systems for the sake of convenience? Are users writing down their passwords on sticky notes because it’s too hard to remember all the passwords that are changing every few months? Are users following their training on how to securely handle sensitive data, such as not including such data in emails or storing it on their local hard drive? (They are trained on this, right?)
Your systems are only as secure as your users allow them to be. At times, I’ve heard comments like, “You can patch a server, but you can’t patch stupid.” These types of fatalistic comments aren’t particularly helpful. The users in your organization will generally live up to the expectations that you set for them. If you approach cybersecurity from the perspective that it’s useless to expect people to abide by certain standards of conduct, then they will inevitably fail to live up to those standards. If you provide training, encouragement and optimism to people in your organization, then your chances of successfully securing your systems are drastically increased. Of course, having strong IT standards and practices will provide the second level of defense when mistakes are made, such as the occasional accidental clicking of a malicious hyperlink. We are all human, after all, so it’s great to have those safety nets in place. But system security truly requires a multifaceted approach and must be an organization-wide initiative.