Hardly a day goes by without some media outlet reporting a form of fraud related to a financial institution. I’m afraid to say that social engineering attacks where people receive an email directing them to verify their credit card or tax refunds through a phone number will continue as long as scammers find them profitable. Trade associations such as APACS do a fine job educating people to question the validity of such requests, but individuals whether at work or in the office need to take a step back and apply some common sense, or it might not just be your money going missing, but that of the company too.
When businesses seek to protect themselves from security breaches, it’s vigilance that provides the first and last line of defence. Some of the examples I’ve listed demonstrate that there are a multitude of ways into your system and those are just through age-old delivery methods such as email. So what else have you got to look out for?
Your business doesn’t operate in isolation. Whether you like it or not, consumer technology gets into the workplace, but you shouldn’t necessarily view that as a bad sign. Back in November we conducted research that showed that 33% of UK workers now use some form of social networking tool while at work. Unmonitored or unapproved tools such as these can provide a back door into your business if your employees aren’t aware of the risks and the measures they need to take.
A third of users admitted to opening or replying to messages from unknown contacts and one in 10 users admitted to having already caused their IT system problems by downloading unknown applications. Now I know you’re probably already scribbling a reminder to ban these tools at the first opportunity, but read on and you’ll see how this is a shining example of security as the liberator of businesses.
One in 10 people who use social media such as Facebook, MySpace, Bebo or Linked-in at work claim that these tools have given them greater confidence when using computers or other technology. And 8% claim that these tools have allowed them to meet new business contacts. These applications are usually free, so aren’t you saving money on training or networking if your employees gain these benefits from using them?
Educate your employees; follow my tips and hey presto! You’re on your way to confident, happy employees seeing real business benefits, while you can rest safe in the knowledge that valuable company information and your vital IT network is protected. Not! No, it’s not quite that easy, but you see where I’m going.
So a picture is developing of a world where ‘out of sight’ doesn’t mean ‘out of harm’s way’. Many businesses are driving towards flexible or mobile working, and there are numerous business benefits that can be experienced as a result. But security in the mobile world isn’t just about making sure you don’t leave your laptop on the train. Many mobile devices have email applications built in and even one of these in the right hands can be used to access your company’s system if you don’t consider the necessity of an all-round defence. Mobile phones, PDAs, laptops, even MP3 players… if you and your employees can use them so too can criminals.
Security awareness isn’t about preventing the apocalypse; it’s about increasing the value the internet can bring your business. IT security is about people, process and technology. Educate your employees; get the right technology, and use it in the correct manner.
People often ask me at what point can they be satisfied that they’ve done all they need to do. I always advise that ‘being secure’ is a work in progress. Just as the criminal element continually evolves so must being secure. And if something does go wrong, you can always send me an email; I would love to hear from you.
Ed Gibson is a
former FBI agent and now IT security chief at Microsoft
. He can be contacted at EdGibson@Microsoft.com or email support is available at