Creating a culture of security to defend against social engineering attacks By Christopher Hadnagy
8 | Chief IT Magazine
he Fifth Annual Benchmark study on Privacy and Security of Healthcare Data by Ponemon Institute (https://www2.idexpertscorp.com/fifthannual-ponemon-study-on-privacy-security-incidentsof-healthcare-data) has recently revealed what others have long perceived: There has been a shift in the root cause of data breaches from accidental to intentional. While 90% of healthcare organisations represented in the study had experienced a data breach, for the first time, criminal attacks are the number one cause of these breaches. Criminal attacks are highly targeted. When it comes down to it, attackers will stop at nothing to break into an organisation. They will use whatever means necessary to infiltrate, especially if those means are low risk. It’s far easier for attackers to bypass technical controls and exploit human nature to breach an organisation than to compromise a network surrounded by technical controls. Unfortunately, there is plenty of overlap between the proactive criminal and the unsuspecting employee that really adds fuel to the fire. Despite the balance of breaches shifting to criminal activity, organisations are beginning to recognise the importance of starting with employees first. According to Ponemon’s study, the data backs this up, as healthcare organisations rank employee negligence as a top concern when it comes to the exposure of patient data. Employee negligence goes far beyond the occasional lost or stolen laptop. What about when an employee accidentally discloses confidential data? A whopping 70% of Ponemon survey respondents admitted that careless or negligent employees are responsible for the most concerning security incidents
impacting their organisation, but what can be done to help? Also, in Australia, the Australian Signals Directorate has openly acknowledged that Social Engineering tops the list of threats to Australian businesses, so it’s a true concern and one that doesn’t have an easy answer. Ask yourself, do your employees know what a phishing email is? Is there a process in place for the verification of a caller’s identity? Do you have a process in place to report security incidents? If you’re unsure of the answers to one or more of these questions, odds are you are not engaging in a culture of security. What does a culture of security look like? A culture of security begins with active testing and training of employees for security awareness. Employees who know they are being actively tested have heightened awareness for security initiatives and are more apt to shut down an attempt to exfiltrate information or breach confidential client data. Buy-in for the culture of security should start at the top of the organisation and build down: this makes it the responsibility of each and every employee to contribute to this culture of security. Exposure, exposure, exposure! Not only should organisations implement continuous training initiatives, but they should also work to publicly reward employees who successfully respond to or report security incidents.
Published on Jul 19, 2016
ChiefIT.me Magazine covers the domains of Information Technology and Innovation. Be kept up-to-date with all the latest industry news and pr...