Overlooked Security Threats

Published by:Abdul Subhani | Published on: 09 Dec, 2017
Overlooked Security Threats
Despite advanced security measures, organizations often suffer cyberattacks, due to minor security issues. Because these threats are often overlooked, employees are not typically trained and cautioned against them. Nothing might happen for years, but, one day, an attacker who targets the enterprise will find it surprisingly easy to get the information they need to secretly enter the organization’s network.

Commonly overlooked security lapses, most often due to unaware, common users, include, but are not limited to, social engineering, poor password management, disregarded policies, improper use of communication services, and complacency.

Social engineering

Social engineering is a potent threat. An otherwise well-protected system can be easily and critically compromised by human thoughtlessness.
Social engineering techniques convince users to unknowingly reveal confidential information to unauthorized people. Social engineering techniques do not coerce users to disclose confidential data; rather, they rely on psychological manipulation.

A typical example of social engineering is a malicious email telling a targeted user to take immediate action to solve some problem by verifying some information. The email includes a link to a form for the user to fill out with the requested information.

Employees must be informed about social engineering, cautioned against popular social engineering techniques, trained to identify social engineering use, and tested through surprise checks.

Poor password management

People today commonly have passwords for multiple online accounts. It is next to impossible to have different passwords for each of these accounts without storing them somewhere. As a result, people often choose to write passwords down, store them digitally, or use the same password(s) for multiple accounts. Most account holders also offer services for forgotten passwords by answering secret questions. However, hackers have been known to find ways to exploit each of these methods.

This makes passwords a weak security link, especially absent some additional, secondary form of authentication (also known as multi-factor authentication). For example, employees who also use their work password on public websites create a major security threat, as compromise of that password on the public site can lead to compromise of the employee’s work account. While this may seem to be a remote possibility, it is actually quite common in targeted attacks. Hackers know that users have trouble remembering passwords, maintain multiple accounts, occasionally use public sites that are not very well protected, don’t value security as much as they should, and often reuse the same password(s) at multiple sites.

Employees must be trained in proper password management. In addition to enforcing strong password rules and regularly changing passwords, this training should also guide employees through managing and protecting their personal accounts.

Disregarding security policies

Information technology departments often use guidance, such as ISO-27001, to create various workplace security polices. For example, when leaving the office, desks should be clear of papers, files, etc., and workstations should be logged off or locked. However, this policy is often overlooked during bathroom breaks, coffee breaks, or check-ins with colleagues or bosses in another office.

Failure to follow clear desk policies may lead to loss of physical documents or portable media (USB flash drives, etc.) and exposure of confidential information to unauthorized people within the organization. To ensure that these, and other policies, are properly followed, surprise checks with punitive measures should be conducted.

Public communication services

Employees do not only communicate through the office network. Public email services, personal mobile phones, and third-party texting and messaging services are sometimes used by employees to discuss work. Reasons for not using the office network include urgent circumstances, breakdown of the office network, or sometimes just the casual attitude of particular employees.

Employees need to understand the importance of using the enterprise’s private network for discussing confidential matters. Information traveling on unclassified communication channels can be hacked easier, compromising trade secrets.

Social media gossip

Employees may use social media to discuss official matters among work friends, directly or indirectly. However, before targeted cyberattacks are carried out, detailed reconnaissance is conducted of the target enterprise’s websites, employees’ social avatars, and other publically available information. Therefore, posting about work matters on social media can present that information directly in the path of would-be attackers.

Employees must be made aware of how targeted attacked are researched and executed. They should also be cautioned not to discuss sensitive information and office work on social media.

Complacency

Complacency is the biggest threat to security and the primary reason people are the weakest link in the cybersecurity chain. Complacency includes casual attitudes towards standing operating procedures and a general lack of awareness toward cybersecurity. Complacent people see security only as a nuisance, and they often ignore best practices and security instructions.

Enterprise management must make cybersecurity awareness among employees a top priority while also curbing employee casualness towards security controls and procedures.

Conclusion

Heavy investments in cybersecurity controls are worthless if employees do not protect themselves against common security threats. Cybersecurity is not only the responsibility of one department. Rather, it is everyone’s duty to remain vigilant to security threats and guard against them.
 
 
 
About the Author
 
Abdul B. Subhani is the founder and President/CEO of Centex Technologies, an IT consulting company with offices in Central Texas, Dallas, and Atlanta. He is also an adjunct faculty member of the Texas A&M University - Central Texas computer information systems department. Abdul is a Certified Ethical Hacker, a Certified Fraud Examiner, Certified in Risk and Information Systems Control, a Texas Licensed Private Investigator, member of FBI Infragard and the recipient of multiple other advanced IT credentials. Abdul has been a frequent keynote speaker, moderator, and panelist at leading international technology conferences, and he has given speeches to thousands of students at colleges and universities.