Security is Only As Good As Your Weakest Link

Additionally, you also have to consider past the first step of a possible attack. The hardest part of a hacker’s task is to get in the front door, the rest is easier. Once they have the access to a user’s account (any user), they have gotten past all those sophisticated security systems you have purchased and worked so hard to implement, they are now on the “inside”. No policy or procedure will stop them, it’s too late.

I am not trying to diminish the value of all of these advanced security tools that exist in the world today, because they certainly do help. The point I am rendering is that you are never really “secure” due to the “human” factor. A good hacker will always find a way in and more often than not, it is through a person that just doesn’t know any better. If you look at one the most famous hackers of our day, Kevin Mitnick, most of his successful hacks involved some form of social engineering. I watched a special on him years ago, when he convinced a high level security professional to give out his password over the phone. He had a way with people and had the uncanny ability to gain their trust.

So what do I suggest you to do about this?

The obvious answer is training. Train your people, train your staff, and train the executives.

The most uneducated person regarding technology will probably not listen or perhaps may just not understand the training. I want to bring this to your attention because it is rarely thought about when administering training classes on security. The instructors seem to take it for granted that most, if not all users are technically savvy or even competent and thus train at that level. I know recently when I sent an internal email about a new virus and vulnerability to my own company some people did not even bother to read the email. They either don’t see it as important to their job or they just don’t feel it is worth their time to read. Either way it gets missed or dismissed. You can take all avenues of precautions and make every effort to present and educate all the data to all your users, but that doesn’t mean they will read it, understand it or adhere to it.

This is where it gets problematic, how do you protect your organization from this huge unknown? We have tried throughout the years to protect users from themselves by locking them down and building the tools but, at the end of the day they are still “users” and not security professionals.

Understanding the war that is going on between security professionals and hackers is a good first step. As soon as a security product is released, a hacker’s mission is to find a way around it. There remains one simple truth to life “there is always someone smarter than you,” and this certainly applies directly to data security and to those naive people who think they have built a tool that cannot be circumvented—the mere thought of an un-hackable tool is a losing proposition.

We are all doing a decent job keeping our networks secure or at least believe we are, but how can we really be sure nothing bad will happen?

It is possible that you can even give employees a simple test to ensure they have the basics down of what is acceptable before hiring them but that would slow down a hiring process that already seems to barely be crawling along. Having this basic knowledge can help greatly but there is no silver bullet for security, at least not yet! Mistakes do happen.

As always I welcome a healthy conversation on the topic below from our community to share their experiences and their thoughts.