My children will often protest an evening bath with the argument that they “already took a bath” sometime in the the preceding several days. Their plea is frequently delivered from under several layers of fresh dirt and grass stains. Unfortunately, we sometimes see the same attitude towards information technology security with business owners and employees complaining that they “already did security”. But much like the muddy field down the street, the IT security landscape has a way of regularly working its way under our fingernails and needs frequent attention to keep things clean and up to standards.
According to the Verizon 2016 Data Breach Investigations Report (DBIR), social engineering is a recurring and significant means of attack on our IT resources. At its simplest, social engineering is enticing or tricking somebody to do something that she or he would not normally do. Of the many variations on the theme, the most successful is phishing – correspondence with malicious links or attachments designed to get the recipient to click or open them. Frequently, the end goal is to install malicious software such as key loggers or ransomware (e.g. cryptolocker) on the victim’s system.
Lest you think this is a problem of somebody else’s poorly behaved children, the DBIR included analysis of over eight million sanctioned phishing tests. The conclusion was that with distressing regularity and speed, users across the spectrum are opening phishing emails and clicking on the malicious attachment or link. As in distressing to the tune of a quarter million users with a median time to the first click of only minutes.
The relative success of phishing campaigns of itself might not be so worrisome if it were not for the equally troubling inability or unwillingness of users to keep their software current with anti-virus signatures and software updates. According to the DBIR, the top ten security vulnerabilities account for 85% of successful exploits. Further analysis of ransomware attacks that exploited Adobe Flash vulnerabilities found that 50% of browsers were a year or more out of date. Simple economic theory holds that hackers will target what yields the greatest return on investment, and exploiting unpatched software vulnerabilities is cheap, easy, and works time after time.
So what’s a body to do? First and foremost, every organization should make security awareness and training an integral part of daily corporate life with a real, live body who is accountable for all things security. Said body should help the organization develop and follow clear information security policies that address acceptable use, anti-virus software, and security updates and patches. Users should be aware of current threats and trends in the security landscape. Include discussions about security best practices in meetings and internal communications so that security is on the mind and not a distant afterthought.
For the checklist oriented, perhaps the single most effective step you can take to enhance security is to enable multi-factor authentication (MFA) for every account that makes it available to you. Analysis of several relatively recent password data breaches reveals that credential reuse across multiple sites is commonplace. Enabling MFA can help mitigate the impact of hackers obtaining your password for Site A and then being able to use it to access Site B, and site C, and so on.
You should also enable automatic updates for operating system and application software to help stay ahead of the vulnerability curve. Make sure that you have anti-virus software installed, active, and updated. Qualys Labs provides their online BrowserCheck security analysis tool (https://browsercheck.qualys.com/) free of charge to help assess your system’s current security configuration and update posture.
Most importantly, once you are good and lathered up about security throughout your organization, you have to rinse and repeat. Again, and again. Just like my children who need frequent interaction with soap and water, security awareness and action needs to be a regular and recurring part of all aspects of your personal and business life. And make sure you wash behind your ears, because you never know when somebody pretending to be your mother is going to send an email with a link to the latest funny from AOL.