Key to a Resilient Security Strategy
Top IT security experts from around the world discuss holistic approaches to IT Security – including patching human vulnerabilities
The International Data Corporation (IDC) IT Security Roadshow has made its way throughout Central Europe and Africa over the last two months, and today, Johannesburg hosted top security experts from around the world with the aim of sharing unique experiences and visions to battle the increase of sophisticated IT threats.
“Cybercrime is here to stay: it is both a product of the Internet age and part of the overall crime landscape. So it would be unrealistic to think in terms of ‘winning the war’, rather, it’s about finding ways to mitigate the risk and one of those risks is human fallibility,” says David Emm, Senior Regional Researcher, UK, Global Research & Analysis Team at Kaspersky Lab. “Notwithstanding the technical sophistication of today’s malware, cybercriminals often try to exploit human weaknesses as a way of spreading their malicious programs.”
This should come as no surprise as humans are typically seen as the ‘weakest link’ in any security system. Securing a house provides a simple example: you can have the finest burglar alarm in the world, but if you don’t set it, then it offers no protection at all. The same is true for online security. Cybercriminals continue to make extensive use of social engineering – tricking people into doing something that undermine their online security.
“We see this in the continued success of phishing scams, designed to lure people to a fake web site to disclose their personal information and just like pickpockets, online scammers follow the crowds. Given the ever-increasing number of people who use Facebook, MySpace, LinkedIn, Twitter and other social networking sites, it’s no surprise that cybercriminals are increasingly targeting these services,” adds Emm.
One of the problems with social engineering-based attacks is that they form a moving target: successive scams never quite look the same. This makes it difficult for individuals to know what’s safe and what’s unsafe.
Continues Emm; “Common sense often suggests that if something seems too good to be true, it probably is. However, the same common sense may not result in the understanding that taking action – in this case, clicking on a link – could be harmful.
Technology, of course, is a core part of any solution for dealing with such malware, but I believe it would be unwise to ignore the human dimension of security. We need to find imaginative ways of ‘patching’ human resources as well as securing digital resources.”
For businesses and other organisations, staff education should be one of the core building blocks of an effective security strategy. Employees need to be told, in simple, straightforward language, the nature of the threat. They need to understand what protection measures the organisation has deployed, and why, and how these may affect them in carrying out their duties. A security strategy is far more likely to be effective if staff understand and support it. It’s also essential to create a culture of openness: staff should be encouraged to report suspicious activity, rather than hiding it for fear of facing disciplinary action. If employees feel threatened, or are made to feel incompetent, they will almost certainly be less co-operative.
However, such threats are not just a business issue. Most individuals who use the Internet from home face the same problems. Therefore the industry needs to come together so that as a society, the level of awareness can be raised and effective methods to minimize risks associated with online activity can be developed.
“The purpose of such platforms such as the IDC IT Security roadshow is to discuss technology and education as a way to minimise the risk to society. Since many of today’s cyber attacks target human fallibility, it’s essential to find ways to patch these human vulnerabilities just as we strive to secure computing devices,” concludes Emm.