Last month’s indictment in the District Court of Pennsylvania alleging China conspired to steal trade secrets from prominent US companies is proof that one of the oldest, and still most effective, tricks in the book – Spear phishing – is alive and well.
You would think in 2014 those of us who spend the lion share of our day staring at a computer screen would be savvy to this trick but time and time again hackers and cybercriminals gain access to sensitive data by sending a seemingly legitimate email to unsuspecting employees. How can this still be happening? Don’t our organizations have a defense in depth strategy that protects us?
The fact of the matter is that all the technology in the world cannot make up for a workforce that doesn’t realize they play a key part in their company’s security strategy. I spent the majority of my childhood playing football. One of the first things my coach taught me, even before strapping on my helmet, was that everyone on the team has to do their job in order for the team to win. Your team might have the best quarterback in the league, but if the offensive line consistently misses blocks your quarterback will likely end up on his back most of the time and your team will be hard pressed to win. The great Vince Lombardi said it best, “The achievements of an organization are the results of the combined effort of each individual.”
This same rule applies to security and compliance in an organization. You may have an IT organization that has built a best of breed security technology portfolio to protect the network, applications, and computing infrastructure, but if employees don’t keep up their end of the bargain and click on suspicious links in emails, use unapproved USBs, or share company sensitive data in unsecured ways, your security solution will end up on its back, and your organization will be hard pressed to beat the hackers.
To be fair, employees generally do not want to harm their organization. Many times the issue comes down to lack of time and focus. Most IT groups are constantly making tradeoffs between mission critical projects. The marketing team needs IT support for their new content management system. HR needs new employees provisioned in the myriad of company systems. New equipment needs to be installed and integrated into the network. And, oh yes, don’t forget to both monitor the security infrastructure for critical alerts and train employees on proper security protocols. There simply is not enough time in the day for IT organizations to get everything done.
In an effort to reduce the workload on IT we are seeing more and more companies move from product centric security strategies towards Security-as-a-Service approaches. With Security-as-a-Service, IT organizations can offload time-consuming tasks like monitoring network traffic, reviewing log data, and protecting web applications to a trusted team whose sole purpose is to provide this service. With a team of experts working to protect their environments from external threats, IT can focus on preparing the workforce to deal with threats such as Spear phishing. Over time, with regular training, organizations can see real improvements in how their employees deal with threats directed at them.
So now is the time to ask yourself this question: what am I doing to enable my workforce to protect their own security and the security of my organization?