While the mental image of masked gunman raiding a bank at gunpoint might have struck fear into the hearts of bank tellers on the silver screen, the threats facing businesses today are less dramatic, yet the stakes are just as grandiose.
In the digital age, companies are now running their businesses electronically. Likewise, would be con artists have taken to these digital platforms to disrupt, cripple, and steal from organizations through techniques such as phishing scams, password spray attacks, or denial of service attacks. The laundry list of things to keep IT professionals up at night seems to grow by the day.
Many programs and tools geared towards protecting organizations from potential threats are touted as using the best technology we have available. However, one security tool I feel is often overlooked when discussing how to better protect one’s environment: the human element.
I’ve worked with many of Microsoft’s security tools for customers using the cloud-based Office 365 suite and have helped clients implement products such as Multi-Factor Authentication (MFA) to further secure their environment (I also recently passed Microsoft’s new Security Administrator Associate exam to give you an indication as to my level of interest as it pertains to security). Controls like Data Loss Prevention (DLP) are great for making sure sensitive company data does not leave the organization via human error, i.e., preventing Brenda in accounting from accidentally forwarding an email containing several bank account numbers to an external recipient. But in my experience machine learning and user access controls can only go so far.
The attacks I've seen in the wild have been increasingly geared towards exploiting users themselves. An email comes in that appears to be from the CEO, who is using his personal Gmail account as he is “out of the office and needs an emergency wire transfer processed right away!” In this instance, a human being is all that stands between your organization and a malicious threat actor hoping to get six figures of corporate moolah deposited to their account. Having a process in place to confirm this sort of request before hitting the send money button goes a long way towards securing the environment in a way that spam filters and virus protection cannot. I recommend that organizations provide mandatory security training to their users for this reason. Employees are the backbone of the organization, and in being a part of that organization each user becomes obligated to use company resources responsibly. Instructing users on both the severity of these threats as well as best practices when using these digital tools empowers them to take accountability not just for their own actions but for the community overall. In this day in age, putting a lock on the filing cabinet unfortunately isn’t enough to secure confidential information when the sensitive data now lives on a hard drive or somewhere in the cloud. Making sure your users understand that they too have a role to play in keeping your digital estate secure helps to reduce the likelihood that someone will click that link in their email to win a free $100 gift card.