For more than 20 years now, hackers and cyber-criminals have been breaking into computer systems and networks. And for just as long a period of time, manufacturers, networking folk and cyber-security personnel have been developing devices, controls and processes to prevent these people from getting in and raising havoc. The “bad guys” come up with new ways to compromise system security, and then the “good guys” come up with new ways to protect it. Back and forth, forth and back, back and forth… it never seems to stop!
You wouldn’t think it would continue to be that way. After all, the good guys have made real progress over the years. Perimeter security that was so easily compromised in the 90’s is truly robust now, and there are lots of products and services out there to help prevent, detect and respond to compromises. Companies, institutions and government entities are becoming increasingly aware of the importance of computer and network security, and they are devoting more resources to the problem on a continuing basis.
But despite all these efforts, there are more data breaches and denial of service attacks than ever! Why is this happening? How can we have all these great techniques in place and still be losing the race? I have become firmly convinced that it is because we continue to throw machines and technology at the problem, and refuse to understand that information security is human problem, not a technological problem. In fact, the technology has very little to do with it. If the bad guys can’t find a technological way to compromise systems, they just find human ways to get around the problem.
That is why the number one root vector for computer and network comprise today is the use of social engineering techniques, especially phishing attacks. The fact is that computer and network resources must be available for legitimate users, and that those users must be allowed to access those resources. This means that if the bad guys can emulate legitimate users well enough, they can gain access to those resources too.
Although you can employ some technological techniques to counter this such as using multi-factor authentication and strict configuration control, your most effective recourse is to use your own employees to deal with phishing. And how to do you get humans to perform effectively? You use incentives.
Incentives can be either negative or positive. Negative incentives include penalties for poor performance such as fines, loss of rank, termination of employment or legal prosecution. The military is big on these kinds of negative incentives. Positive incentives include public recognition, bonuses, promotions, vacation time… even a primo parking spot or your picture on the wall of fame will do. For most organizations I definitely recommend going the positive incentives route. Give your employees a tangible and desirable reason to help in your security efforts and you can save a lot of money on products and services that won’t work nearly as well.