Friday, August 26, 2016

How to shut down the easiest path for hackers into your organisation

In the news today is a story about how the Department of Prime Minister and Cabinet has issued guidance to staff on how to manage their personal profiles on Facebook.

According to the The Age's article, 'Nanny state!' New crackdown on public servants' Facebook the department "now insists its public servants lock their personal Facebook accounts with the tightest possible privacy settings and tells them how to configure their passwords".

Based on The Age's article the policy states that "Profiles must use a robust and secure password to protect the account from brute-force hacking attempts".

"This password must be at least seven characters long and contain a mixture of punctuation and alpha-numeric characters".

The policy apparently threatens disciplinary action and even dismissal for non-compliance for both staff and contractors.

I've not yet read the policy so can't comment on the details, and there's also apparently some other parts of the policy dealing with what public servants can comment on, which I don't expect to agree with.

However, I find the advice on security and passwords as fair, long overdue, and something that all organisations should consider providing to their staff.

Hacking is fast emerging as one of the most significant commercial risks for corporations and public agencies, with organised crime and nation-states mobilising sophisticated teams of computer hackers in the search for commercial and political advantage.

Few weeks go by without a major international company or online service being hacked for data, and alongside this the growth of ransomware - where hackers lock organisations out of their own systems and demand money for access - is proving to be a challenge worldwide.

Many large organisations have extensive security provisions in place to protect their data and services against hackers and security advisors are working as hard to keep their system protected as hackers are to find new ways in, in a cyber cold war.

However IT systems are not the only way into an organisation's data heart. 'Social engineering', a term referring to coercing staff to create a chink in an organisation's security armour, is increasingly one of the easiest ways for hackers to sidestep security professionals.

Social engineering takes many forms.

Leaving USBs with malware at a location where staff might pick them up and unsuspectingly put them into an organisational system, sending them email attachments supposedly containing cute kittens (with a cyberworm inside), fooling them with a fake email from security into believing they need to reset a system password by clicking on a link - which gives a hacker access.

There are many many ways in which employees can be fooled, even the most highly intelligent people, and used to evade or break their organisation's security.

Even if people can't be fooled, there's ways to get critical information about them which can provide clues to passwords, or provide blackmail opportunities.

For example, many people still use memorable passwords - children's names and dates of birth, anniversaries, pet and street names, achievements and more. With a little digging through publicly available information, or even information compromised from a weaker external service, hackers can quickly create a potential password list which might give them a route into a more secure system.

Unfortunately many organisations have been slow to address this threat by educating and supporting staff on protecting ALL their information online - from their secure employee logins, to their Facebook accounts and random mailing lists they sign up to.

This education is important not simply for the organisation's security, but for the personal security of individual staff members, who are also at risk from hackers who simply want to steal from them.

In fact there's every reason to believe that well constructed advice to an organisation's staff on protecting themselves online will be well received. It not only protects the organisation, it protects each individual staff member and often their families as well.

So what PM&C is doing with suggestions on passwords and locking down Facebook isn't a 'Nanny State' act - it's a sensible step that every organisation should be doing to protect their commercial information and client data, and to protect their employees.

Now a 'policy' may not be the best structure for this education - I strongly recommend that every organisation should have a 'security awareness' module in their induction program, and ensure that all existing staff receive regular training on how to protect themselves and the organisation they work for from external hacking threats.

This needs to be regular, not once-off, because of the rapid evolution of hacking and IT systems. New threats emerge regularly, as do new social engineering attacks.

Training all staff on how to secure ALL their online accounts is becoming vital for organisations that are serious about security.

In fact I believe that organisations who lose control of personal, private or confidential client, staff or government data should be penalised more harshly if they've not taken steps to guard against social engineering through staff training.

So if your organisation wants to continue to improve your security, don't simply invest in new IT systems and security advisors. Regularly train your staff on how to protect themselves online and they'll help you protect your organisation.

No comments:

Post a Comment