Complacent Cat

Complacent in Compliance.

Why Security Awareness should be baked into your organisation’s culture (and your survival instinct)

What is compliance?

Ultimately, many of us view compliance as boxes that need ticking. E.g.

Security Awareness Training  ✔

Annual Information Security Audit  ✔

Computers patched and up to date  ✔

Spam Filter in place  ✔

It’s all well and good to tick boxes, but is that enough to keep ourselves and our organisation safe? To that I say, “If we are lucky”. Determined criminals will always find a way in. Our job, as employees, is to make life more difficult for them. Having good security policies documented and having them more or less enforced is a start, but that does little to really keep us secure.

I have dubbed myself “The Resident Paranoiac” here at Intuity for mostly humorous reasons, but there is a bigger meaning behind that moniker. I think it is prudent to maintain a healthy level of paranoia at all times, at least when it comes to Information Security. The most fragile element of any organisation’s security system is, more often than not, the people. This isn’t an attempt to shame or blame anybody, it’s just the harsh reality of the situation. It doesn’t matter how tightly sealed and iron-clad your network is, if a phishing email slips through the cracks and somebody clicks on the link, all that expensive hardware and those annual audits were for nothing.

What’s wrong with people?

People are great at being people, many of us just aren’t used to thinking about information security as part of our survival instinct. We’re trusting, we like to give others the benefit of the doubt, some of us aren’t adequately trained, and unfortunately… some of us just don’t care. We all have a job to do and we want to keep the machine running as smoothly as possible. This makes us overlook things with an “It’ll be fine!” attitude sometimes. Nine times out of ten, it is fine. Sometimes though… disaster strikes. Maybe you paid a fraudulent invoice that looked legitimate, maybe you opened a malicious attachment in a phishing email, or maybe you were on-the-go and needed to send a quick email using the WiFi at the local coffee shop. These are things that can all slip through the cracks and cost your organisation money, its reputation or you, your job.

That’s all pretty extreme, right?

I know, I know. That all sounds very dramatic. None of that has actually happened right? There aren’t actually people like that, right. These kinds of incidents happen every day….don’t believe me? Google search for “Facebook invoice scam”. Check out these stats on cybersecurity incidents from phishing campaigns. Look around your office and ask yourself “Who here has bent the rules just to get something done? Have I ever done that?”. We don’t like to think about it, but these incidents are commonplace.

You might be inclined to console yourself with the fact that you work for an SME, but this only serves to make you feel better. The newsworthy cybersecurity incidents we see are all at large corporations, because it affects many of us directly. Take the Equifax breach for example. That involved the social security numbers of millions of Americans. The truth is though, there’s a threat for every size of organisation. Just as there are large-scale attacks on corporations, so too are there small-to-medium sized attacks on SMEs…. They just aren’t as newsworthy. If there’s a buck to be made, personal information, or a password to be stolen, you had better believe somebody is (or someday will be) trying to get it.

Threat Models and Automated Attacks.

Threat modelling is the process of determining who is a threat to you. Who would be likely to attempt an attack on you or your organization? I’ve said this here before, but if your threat model is “Sure who would hack us? We’re a small outfit!” then you’re not as in touch with your amygdala as I would like you to be. Very few attacks these days are specifically targeted, in fact most are “spray and pray”. Most phishing attacks that hit SMEs are not highly-customised spear phishing attempts, they’re more akin to trawling; just a big net and whatever gets caught gets caught. It might help to know just how automated hacks can be. Let’s walk through some examples to demonstrate this:

An automated website scanner is trawling the web. This scanner is aware of hundreds and hundreds of different documented vulnerabilities in just about every web server software out there. In addition to this, it has a corresponding exploit kit ready to deploy for each of these vulnerabilities. This bot can automatically find vulnerable services and exploit them without any human interaction. The same example could be used for sophisticated spam bots. The chain of events from discovering your email address to sending you the email with the malicious link can all be automated. This means that it doesn’t matter how big or small your outfit is, if you’re on the internet, automated attacks will come across you eventually. A third and final example of this (and in my opinion one of the scariest) is the NotPetya attack. This attack intended to target the entire nation of Ukraine by infecting a widely used piece of accounting software specific to Ukraine. Because the malware was a self-spreading attack (a worm) it ended up affecting many other people. The global shipping conglomerate Maersk was brought to a complete standstill because of this attack, and they weren’t even the intended targets. Automated attacks are indiscriminate. Think about what that means; it doesn’t know or care who you are or what you do, if it can find you, you’re a target.

Automated attacks are just one of the many forms of attack you and your organisation might be targeted by. When building out your threat model, it’s critical to consider factors that might make you a target. Are you a financial institution? That makes you a high-value target. Not only do you have personal records for all your customers, but access to your financial systems could potentially prove prosperous for a resourceful bad actor. If your organisation is not spending time constructing a threat model, then when disaster strikes, you’ll be at even more of a disadvantage. The worst time to put on your seatbelt is just after you’ve crashed your car, and the same applies to Information Security policies and practices.

You are the first line of defence.

Security for your organisation starts with you. As I said, it doesn’t matter how water-tight your network security is or how locked down your active directory rules are, if you can be duped by a criminal then it’s game over. Did somebody send you an invoice? Call them at the number you have in your directory and verify it. Did you get an email from Dunnes with a gift card? Why are you receiving promotional materials to your work email? That’s suspicious.

Not everything malicious is obviously suspicious, oftentimes the most effective forms of attack seem completely benign and every day. This is why we must be skeptical of all communications and activity, even if it causes minor inconvenience to those involved. It is better to have verified and taken an extra 5 minutes than to have trusted blindly and gotten burned as a result. This is where compliance stops mattering as much. You can be 100% compliant, but if you’re not actively conscious about security, then your compliance is a checked box that means nothing. Like I said in a previous blog post, follow the old Russian maxim: “Trust, but verify”.

Security is hard because it’s worth doing.

Being security conscious can be a real pain, I know. It can introduce inconveniences, frustrations, and it can feel pointless when you’ve never actually been attacked. It’s the perfect setup for complacency when you think about it. “We’ve never been attacked, so why bother with all this extra effort?” is an easy mindset to slip into. Those who have been attacked, however, know all too well the dangers of complacency. If you’re not the most competent with Information Security practices, you could be forgiven, as long as you try to learn and keep up with policy. However, there is a subset of people who simply don’t care. Indifference to best practices, above-the-law attitude, and reckless abandon of security awareness are the hallmarks of a walking liability and such attitudes have no place in the modern ecosystem.

So, where’s the pitch?

Alright, you’ve got us. We use this blog to promote our services and this post is no different, although I would like to stress that I stand 100% by what I said in this post. We can’t give you a one-size-fits-all cybersecurity solution, but we do offer a few services that can help make you more secure. We offer Security Awareness training, which covers quite a wide array of things such as physical security, phishing, and vishing. We also perform IT Vulnerability Assessments, which provide a review of network security, configuration issues, software vulnerabilities, system hardening opportunities, as well as physical access and information security of your office(s).

 

If you are interested in any of these, or if you have further questions, don’t be a stranger. Call our team today at 0818 987 900 or email sales@intuity.ie