What’s the easiest entrance point for a hacker to attack your organization?
In the previous two blogs in this series, we discussed how technology and policies are an integral part of the information security posture needed to protect your firm from attack. However, at the end of the day, those efforts will fall very short if we don’t also address the human element.
The number one way into an organization is through people. The result may end up exploiting technology vulnerabilities and/or procedural gaps in a firm’s policies, but the entrance almost always comes through people. We have a people problem. If we are going to solve this problem, we must help the people in the firm understand that information security is part of EVERYONE’S job. This is not just an issue for leadership or IT. EVERYONE has a part to play in protecting the information the firm has been entrusted with.
Understanding “the why” behind our information security efforts and the important role that everyone should play goes a long way to help people understand their part in the effort. Without the “why” people see the information security measures as burdensome and impeding their ability to get their work done. We must change the message. We can’t just say “NO! Don’t do things!” We should say “Yes! Do these things …and here’s why!” You will see a remarkable change in people when they realize that we must do this together to protect what’s important to all of us.
INTERESTING NEW INSIGHT
The National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce, recently revealed a study they conducted that uncovered an interesting new phenomenon. It’s called “Security Fatigue”. In short, people hear about information security attacks, breaches, horror stories, etc. and the response to all this information is an overwhelming sense of futility. “I can’t understand it and I can’t keep up with it, therefore, I’ll just do nothing and hope for the best.” This is a dangerous mindset and is brought on when we continually lace the message of information security in fear and scare tactics. If I am someone who wants to get your information, I am hoping that you have security fatigue.
It’s a fact that people are hacked more often than systems, by far. It is also a fact that part of the human condition is to think, “That will never happen to me.” This presents an ongoing challenge that must be addressed.
WHAT TO DO
If you want to successfully assess and address the people side of your information security vulnerabilities and risks, at a minimum you should include these three components in your plans.
It may seem strange, but if we are going to assess our vulnerabilities, we have to test the areas of risk. This includes testing our people.
By now, most people are familiar with phishing scams. We’ve all gotten emails that were unsolicited, poorly written and obvious forgeries. Those are the phishing scams of the past. Today these very smart people are highly motivated and patient and know the “art of the con”. They are also switching to a far more sophisticated tactic: Spear Phishing. This term refers to the hacking technique that doesn’t cast a wide net by sending a thousand emails. It targets an individual with a single email. It is far more effective to appear trustworthy to one person with information specific to them. This type of email is highly effective and is rarely caught by spam filters. Spear phishing now accounts for over 90% of the successful inroads into an organization.
Phishing tests, both emails and phone calls, should be a part of our ongoing information security efforts. The information gained from these tests can be very powerful in educating your people.
We shouldn’t stop at phone calls and email phishing tests. The hackers won’t. Gaining access to your firm information often gets much more brazen and clever than that. So, we too should include social engineering in our penetration tests and vulnerability assessments.
First, just try to gain access to your space. If someone walks boldly into your office, looking confident and professional, would you stop them? I’ve personally performed this test more times than I can count and I’ve never been questioned. Why? Because I never look out of place. We may have implemented information security measures at entry points, but we all know how easy it is to tailgate behind another person with access. What if the person behind you has their hands full, or better yet, is using crutches? Polite society dictates that you turn and open the door.
- Once in, try to gain information or access to systems. This can be done in many ways.
- Ask the receptionist to print out something from a USB drive for you. USB drives are a very serious vector of attack.
- Drop USB drives around as bait.
- Look for opportunities to be left alone with access to a firm computer (e.g., while someone goes to get you coffee).
- See how far you can walk around within the firm before someone speaks to you.
- Look for information readily visible in paper form laying around.
- Pretend to be the electrical contractor called in by IT to address an issue in the wiring closet.
Information Security Awareness
Once you have the information from your penetration tests and vulnerability assessments, it’s time to use that information for good. An ongoing Information Security Awareness Program is essential in your information security posture. Here are some key elements of an effective Information Security Awareness Program:
- It should be immersive without being disruptive.
- It should be an ongoing part of the regular dialog at the firm and not just a once a year discussion.
- It should include active and visible sponsorship from leaders at all levels of the organization.
- It should include relevant stories of threats facing the legal industry.
- It should also include relevant stories about your very own firm. This is a good place to inform people of the phishing and social engineering results.
- NOTE: Don’t go for a “wall of shame” and post names of those that fell for the phishing tests. Sanitize the results, remove names, use percentages, and let people know that this happened right here at your own firm.
- It should ALWAYS emphasize the WHY and encourage people that we are ALL in this together.
People are our biggest asset and we need to invest in educating them as to their role in protecting the valuable information we interact with every day. Help them find their “WHY” in this effort and how important they are. One person can make all the difference in the world.
TECHNOLOGY – POLICY – PEOPLE
All three of these things work together to comprise your overall information security posture. None of them stand alone. A gap in any one of them puts your firm in a vulnerable place. It takes effort to maintain each, but it is worth it to meet our responsibilities as good stewards of the information we’ve been entrusted with.
HOW CAN WE HELP YOU?
If you would like more information about OnGuard, our Information Security Awareness Program or any of the Information Security Services we provide, we would love to hear from you.
WANT TO HEAR MORE?
Please feel free to listen to the “How to Hack a Law Firm” session recorded at ILTACON 2017, courtesy of the International Legal Technology Association.