Posted by Geraldine Hunt on Tue, Mar 13th, 2012
Do your employees have common sense when it comes to email & web security? The best protection against malware, spam, hacker attacks, policy violations and other email and web threats is a layered set of defenses in which software, services, hardware and policies are used to protect data and other assets at the network, system and application levels. However, an obvious – but often-forgotten – layer in this cake of protection is the common sense of your users – one of the critical layers to prevent threats from gaining a foothold. As the picture says 'just because you can, doesn't mean you should', this is where common sense come into play.
Lack of proactive measures to deal with attacks can cost companies financially through the loss of data and system downtime.
For example: Social media tools are a great way for users to share information opening up new and powerful ways to engage with a company’s customer base. On the other hand, it can expose business to security threats and reduced network productivity and be a great way for a spearphisher or whaler to target someone. Lack of proactive measures to deal with the attacks can cost companies financially through the loss of data and system downtime.
Spear phishing is a growing issue where a targeted false email that appears to be legitimate is sent to individuals or a company in order to access data. For example, as I write this I’m looking at the Facebook page of someone with whom I am not connected. I can see that she is a realtor, has listed a home at 657 Noble in [city name withheld], was born on January 26th, has a dog named Lou, is a member of the Agent Leadership Council at a southern California realty organization, goes ice skating, lives in Thousand Oaks, speaks French, and took a trip to Orlando on February 11th. If I was a bad guy intent on sending her a spearphishing email – perhaps with the intent of infecting her PC with Zeus – I could use this information to craft an email that she would be likely to open. For example, an email with the subject line “Need to schedule a vet appointment for Lou” or “We mistakenly overcharged you on your recent trip to Orlando”, or perhaps a LinkedIn invitation that includes personal details, would likely get her attention and increase the chances of her becoming a victim of a spear phisher. This is not to say that this Facebook customer lacks common sense, but the information she has posted could be used against her and her company and needs to be evaluated in that light.
Why Common Sense Needs to be the First Layer of Security
Spam filtering technology is highly effective at blocking spam emails that contain links to malware sources (albeit with some spam filters more effective than others). The RSA exploit in April 2011, in which some employees received an email with an Excel attachment, was the result of spearphishing emails that were effectively quarantined by spam filtering technology, but later opened by employees from the quarantine. A spearphishing email at the Oak Ridge National Laboratory in April 2011 was received by 530 employees, 11% of whom clicked on a malicious link. Many users are not sufficiently skeptical when asked for information. For example, before last year’s royal wedding between Prince William and Kate Middleton, a Facebook scam was making the rounds asking respondents to create their royal wedding guest name. This name consisted of one grandparent’s name, the name of a first pet, and the name of the street on which the victim grew up – all likely responses to security questions one might get asked when resetting a password.
Without common sense email and web security is less effective
A study by Trusteer found that 73% of Web users employ the same online banking password that they use at other Web sites. Educating employees around a range of security issues is an important step that many companies ignore. The bottom line is that common sense exercised in the normal course of using corporate systems – mixed with a bit of skepticism – needs to be the initial line of defense to protect systems, financial accounts, sensitive data and other assets from compromise. Without it, technology is less effective and organizations are at greater risk. It only takes one employee to open the wrong email to give access to sensitive company data bring a whole company’s IT systems to a halt.