Your system is secure, but what about your staff and users?
By Chris Holden, for Cysec-Rco Ltd.
It is accepted that security is not just about having adequate firewalls, anti-malware, secure web sites, intrusion detection etc. It is also about preventing sensitive information leaking from an enterprise and preventing the information held by an enterprise or organisation from becoming a vector for attacks against its customers or partners.
While provisions against this kind of risk are commonly included in policies that require employees to conform to certain rules and also training them in best practise, the sad fact is that people at the sharp end of getting their work done as best they can and pleasing their boss WILL cut corners and do something that exposes an organisation to risk.
Often this is simply because they did not understand the possible consequences of their actions and just wanted to complete work quickly and easily, or think that the risk they have had explained to them is not significant enough for them to be concerned with. It is not done out of malice, but it can still have significant repercussions if not dealt with. It can also be exacerbated by the fact that many security staff focus on keeping the company safe from direct threats, not this type of indirect risk. Here are a few common issues, all of which Ive found being practised in organisations over the last year or so.
Almost certainly the biggest of the risks discussed here to any employer is employees sending work home from the office to their personal email account. Even if company webmail and access to data is available for authorised home workers, unauthorised people will email work home. Even a proportion of authorised home workers will do so, most often because they dont want to waste time logging in to the company system, they just want their files right there at home to open immediately – and sometimes because they dont want the amount of work they do at home known by their manager! ?While authorised home workers are more likely to have up-to-date anti-malware, unauthorised workers are not (woe betide any organisation that allows home working without regularly establishing the cleanliness of the home devices used). The risk of data emailed home is obvious the risk of malware making it back onto servers/cloud is significantly increased, as is the possibility of sensitive data becoming public due to poor home computer and email security.
One of the fairly common mistakes made by people in both the public and private sector is in sending emails to a list of people outside of their parent organisation using just their basic email client. The issue with this is that unless email list software is used, it is very easy for the user to send the list CC and not as it usually should be BCC (where all other recipients email addresses are hidden). Sometimes the employer is not even aware of this list contact. This is especially risky when sending to customers/clients at their personal email addresses. Even if the facility to use specialist software is available, some users will be too lazy or not know any better.? Sending to a list where all addresses are visible to everyone else might well at the very least breeches the privacy of everyone on that list. At worst it makes everyone on that list a target for malware and phishing, because it only takes one of the recipients to have their email compromised for there to be a knock-on effect. ?Even if the worst does not happen, switched on customers, of which there are many more these days, will recognise how unprofessional it is and also that they have been exposed. They will probably look for somewhere else to get what you are selling.
Another email use risk is that of customer/clients or employees private data being emailed. Obviously, if emailed in plain text or in a standard file format the risk of that data falling into the wrong hands is increased even if not sent outside of the parent organisation, as the risk of a mailbox being exposed or an email being forwarded to an external address is there. I have seen personal data (however minor) emailed essentially in plain text to zero-hour contract workers private email addresses by a poorly trained manager in one organisation a disaster waiting to happen. In that particular case, the organisation in question had a secure web app in place for those staff to access that information available that should have been used.
Unofficial databases can be an issue. Sometimes workers will create a list in a spreadsheet with names, addresses, and certain other details that they might need. They do this for many reasons one of the main being that they have a ready reference of just the clients (or even co-workers/subordinates) they deal with easily available in one file that can be emailed home, despite the possibility that they already have these details in securely accessible formats. The risk posed by an unsecured file with a list of personal details should be clear.
Lastly, and more obscurely, comes the use of web forms. More and more organisations are outsourcing data collection via web forms (be it for marketing or other purposes) to specialist companies. I.T. will check out the provider for security and make sure the certificates for secure traffic are in place (https) etc. However the end user, unless properly trained, and especially if there is a cost differentiation and there are financial pressures, may use http forms, either from ignorance or cost concerns. That would be fine for forms that require no personal information, despite the public’s growing expectation for all web traffic to be https. However, when plain old http is used for something requiring personal data, the first impact is that users with high computer literacy will not submit the form so the organisation goes without the data. The second impact is that these more savvy users will not trust the organisation any more, and pass that mistrust on. The third impact is of course the risk of the data being compromised which however miniscule, is what drives the damage caused by the first two impacts.
