You're not as locked down as you think. It's utterly impossible to secure an organization without having the buy-in of the employees.
I sent an email on Monday to all employees at my organization, warning them about increased cybercrime during the Cyber Monday retail frenzy. It wasn't just out of the goodness of my heart.
Enterprise security relies more heavily on individual employee behavior than most folks realize. If you can start getting employees to improve their security behavior to protect their own assets, that improved behavior will spill over to their enterprise activities.
Crooks take advantage of shoppers who want a Really Good Deal. Only problem is, the Really Good Deal is how you Really Get Shafted. The bait is tempting: Who wouldn't want a $125 copy of Adobe Creative Suite instead of having to pay $1,800 at retail? The hook, unfortunately, is that you've just given your credit card and personal information to a criminal. And you may just have installed a trojan and/or keylogger on your computer along with the stolen software.
Employee behavior matters no matter what your security environment looks like. You may think your work environment is safe because you've locked down individual desktops to the point where nobody can install additional productivity software without IT's blessing. But let's say the victim installs the malware at home. The victim may well have remote access to the work environment, and the criminal at the other end of the malware can now access the work environment, in which case the massive protection of the work environment doesn't really help.
Most of the bad stuff comes in through email. Corporate email is typically locked down tight, except users are usually allowed to whitelist, creating another false sense of security. So now we have a scenario where the enterprise security manager is confident that scam emails aren't going to get by the filters. Except, the user gets a fraud email at home and thinks, "Wow, I really need that at work. I bet my boss will say yes." So he forwards the email to himself at work. Because he has already whitelisted his personal email, the message goes through.
But hooray, after he downloads the malware-infested stolen-software package that has an encrypted payload that your antivirus doesn't recognize, the criminals are still foiled because your group policies forbid installation by end users! Only problem is, while this employee is taking the time to pick up the phone and complain bitterly to his boss that, once again, IT is preventing money savings and/or innovation, the criminals are out having fun with the corporate credit card. Software battle, won; anti-crime war, lost.
I'm not making these scenarios up. During my years as a security practitioner I saw them--and far worse incidents--first hand. And I have come to the conclusion that it's utterly impossible to secure an organization without having the buy-in of the employees.
The problem isn't limited to Cyber Monday specials. Dell SecureWorks' CTU security team told me Monday morning that they've seen an uptick in malicious emails--airline e-tickets, canceled direct deposits, overnight shipping invoices. All of these scams include a malicious link that infects the hapless clicker with a variety of malware, including banking trojans.
All that's necessary are simple tips with a "what's in it for me" hook. And repetition. Most people must hear the message multiple times before it sinks in. They're being barraged with advertisements written by people who are (forgive me) smarter than you and me about good marketing. Repeat as often as you can without becoming a nuisance, and pound home the point that it's for their own personal safety.
My tips for Cyber Monday, and every day, included:
-- Anything that sounds too good to be true probably is too good to be true. "Save $2,570?" Really? If something usually costs $2,700, it's not reasonable to expect to pay $125 for it.
-- Respond only to specials from retailers with which you've done business. Random solicitations are an invitation for trouble.
-- Even for special offers that appear to be from reputable dealers, it's far safer to manually enter the website yourself (e.g., go to your browser and enter "amazon.com") than to click a link. Better safe than sorry!
Got more tips? Please share them.
Jonathan Feldman is a contributing editor for InformationWeek and director of IT services for a rapidly growing city in North Carolina. Write to him at firstname.lastname@example.org or at @_jfeldman.
Sensitive customer and business data is scattered in hidden corners of your infrastructure. Find and protect it before it winds up in the wrong hands. Also in the new issue of Dark Reading: The practical side of data defense. Download the issue now. (Free registration required.)