People are the weakest link in information security

What would you suggest to be the quickest way to break strong encryption? A brute force attack, golden dictionaries or exploiting a weakness in the algorithm? My answer would be to ask the person in possession of the encrypted file for the key. Encryption here is analogous to your business secrets or confidential information.

The point is that individuals and human nature are the weakest links in security, a fact often exploited by hackers and fraudsters.  Most people, by nature, don't like conflict and are either too trusting or willing to give others the benefit of the doubt in the absence of a good reason not to.

What does a hacker look like?

‘People hacking' or ‘social engineering' are probably the most common ways to obtain information.  Sometimes only one person is the target, but it is not uncommon for several people to be targeted to give up bits of information which on their own appear meaningless but together reveal everything.

Learn the key differences between building and buying crisis management  software - download our ebook here.

Preconceived ideas and stereotypes of what a hacker of fraudster looks like, and how they will act, also work against security.  Let me give an example.  I recently gave a presentation to a large organisation on information security, corporate espionage and money laundering. The audience consisted of highly qualified professionals, junior staff and administrative support personnel. Before the meeting, a senior member of staff was discussing the type of work they did and asked if I thought they were vulnerable.

Testing a company's vulnerability

I decided to conduct a simple test. I approached one of the reception staff, explained who I was and that I forgot to print a part of my presentation. I asked if I could print something from a portable USB drive, and the answer was yes. Permitting an unknown device to be attached to your computer is a classic way of installing malware and stealing information. I am middle aged, wear glasses, lack hair and dress in a suit/tie and polished shoes. 

> Also read: Social media: Did you make a risk assessment of your company's activity?

To avoid embarrassing anyone I asked an open question during the presentation, posed that scenario and everyone answered that they would have done that for me. I asked that if I had been 20 years old and casually dressed, would they have done the same, and the answer was an emphatic ‘no.' They just didn't expect someone to come into their workplace and do this. Other reasons for allowing ‘bad people’ to do ‘bad things are:

  • Security is someone else’s problem (avoidance)
  • If they really want to get in/obtain information, they will (resignation)
  • What do we have of interest to anyone (ignorance)
  • We are a small company, and we keep a low profile (blinkered)
  • Nobody would be that bold to ask (really!)

A look from the outside

When considering how to counter this you may think that only the most senior people have access to the most sensitive information. However, what about the accounts clerk or bookkeepers who see all the invoices sent out; the filing clerk responsible for storage of all the documents; the person in IT who has administrative access to all your systems and, finally, the secretarial/reception staff who tend to know most of all?

Every business should conduct a security threat assessment. You do need to identify your assets and their value. You need to identify who might want to acquire information, form an opinion on their ability to do so and the consequences of their success. Lastly, you will consider how you will attempt to counter this.

Corporate culture

It is probably not possible to change a person's outlook on life with just a few training sessions and email circulations. Besides, you probably employed them for the way they are; service minded, sociable or team working, for instance.

So, what to do? Security is always an on-cost, an overhead that you could do without. I believe that informing your people is only part of the solution. Fostering a culture of reporting potential incidents, no matter how seemingly insignificant, coupled with a no blame culture, will help a lot.

Of course, if people are to report these incidents, then someone must evaluate them, not only in isolation but viewed against all reported incidents. This process need not be onerous or costly, but it does need a person at the corporate level to sponsor and champion it.

Another way is to design processes that do not hinder the daily work of the business, or cause additional work to the majority of the staff, but still ensure your security policies are followed. We all know people who don’t like wearing staff photo ID passes but make that pass essential to access the staff canteen or some other necessity and gradually it becomes the norm.

Nationality

Another factor is nationality and social culture. In 2015 the EU published a report which assessed how trusting the population of the various countries were. The scale ranged from 0 being not trusting at all, to 10 where most people can be trusted. There were some interesting variations. The European average was 5.8, whereas, in Norway, the figure was 7.3.  

The intruders success factors

The message here is clear.  Not only must you assess the threat posed by outsiders but also the vulnerability of your staff to their unwelcome attentions. For an attack/intrusion to succeed there needs to be three factors.

  1. Something of value (to them),
  2. Their capability to get it
  3. The absence of a suitable guardian.

In this article, the guardians are your people.

New Call-to-action

By Shaun Reardon

Shaun Reardon was a detective at Scotland Yard in London for over 26 years and has extensive international experience having worked in over 30 countries. He specialised in hi-tech and cyber investigations working within Counter Terrorism, Economic and Complex Crime, Kidnap and Specialist Investigation, London Olympics Cyber Operations and intelligence to mention a few. Shaun is an independent Consultant based in Trondheim, Norway.

More blog posts from this author

Subscribe to the blog