Knowledge Workers, IT Departments and Smart Hackers - How Can IT Be Trusted With Our Data?

I read an interesting article this morning in SC Magazine. Based on a 2016 study (Download Here: https://goo.gl/zmLqJV) by Datastrophe, it seems that IT isn't capturing the heart, nor the trust of their end-users. 25% of Knowledge Workers have very light trust in their IT team. 67% of Knowledge Workers are not impressed by their employer's attempt at BYOD and don't believe a clear policy exists. Meanwhile, 65% of the ITDMs believe that BYOD does exist. Lots of numbers, right? But what is really happening? 

Never before has IT and Enterprise Architecture had to deal with so many ever-changing variables in the IT department aligned to access points and security. Phones, tablets, Internet of Things (IoT) and the still existing infrastructure create so many access points for cybercriminals, many firms take a "not here" attitude toward new technologies, especially if networked. It's not long until someone's pacemaker is networked (IoT) providing valuable clinical data to physicians, but this also spells danger to those who run corporate security. The proliferation of connected everything is going to shake up cyber security a lot. 

A new networked device in the enterprise not tested or validated for use is a danger. Meanwhile, employees want to use their latest Thingamajig at work and if IT refuses, they can simply figure out workarounds using more tech not on the radar to finally use the tech not allowed. Once a workaround is successfully completed, IT has lost control two times. The gray areas seem to get us in trouble a lot these days and you can see the challenge with 50,000 employees all coming up with innovative ways to use their own tech outside of IT's control.

But in a world of personal information being a goldmine for the latest hacking group through spearfishing, plain old fishing, SQL Injection, fake WAPs, Cookie Theft, Waterhole attacks, Bait and Switch and other methods of intrusion, users are getting tired of exposure and quickly pass blame that usually falls on IT. But it's not IT's fault... MOST OF THE TIME.

Just this month (March 2016), a large healthcare organization learned of a "Spearfishing" attack that affected the personal information of...  Ready for it? All Employees! Yes, almost 11,000 persons had their personal information not stolen, but voluntarily queried, sorted, exported, packaged, and then emailed over to global hackers in good faith. How on earth did this happen? It sounds almost too easy, and in review, it was. 

Email spoofing is amazingly powerful and today, rather sophisticated in design and intent. When an employee's boss emails them asking for information ASAP, and that boss is traveling, what's an employee to do? Call/text them to make sure it was indeed they who sent the email? It's an email from their boss after all, right? The power of psychology and urgency is being used to dupe otherwise wonderful and intelligent people into rather inappropriate actions clearly works. This hack shows not only the technical prowess of email spoofers but also how easily attainable an organization's entire employee file can be to gain access to. 

What was missing? IT could have done some of the following. 

1. Noticed an incoming email from a fake/cloned email account and blocked it immediately. This would have alleviated the entire mess, but the sheer volume of attack emails and new techniques make it hard to keep on top of this. 
2. Set off a form of alarm or chain communication (text/emails to two or more persons) where the action to export such a large quantity of HRIS data was performed. What if the CIO and CHRO received a text about the HRIS database being exported automatically?
3. Had proper cyber-security awareness training where an employee with access to highly sensitive data would have questioned such a request. Although the psychology of an email from our boss is a strong one, a quick text or email forward for "hard to imagine" requests could have stopped this. 
4. Had a proper policy/procedure in place for not just access, but the export of an entire HRIS file. Two and three stage authentication would have stopped this. How can one person have some much access without multiple keys to the data?

In the end, what has happened is done. But, let's always learn from these large data breaches. What remains a constant is that human error and fallibility is one of the easiest things to capitalize on if you are a hacker. It's important to have your entire organization up to speed on the latest methods of cyber-attacks and how people can separate real business from potential threats. 

If 50 or 50,000 employees in your firm are not aware of how their digital actions can impact the enterprise, you just increased your attack surface by that number. Cybersecurity Awareness competencies aren't nice to have in today's corporate environment, they are required. The entire employee HRIS file may depend on a trained and aware workforce. 

To discuss how 327 Solutions can help you with Training and Development needs, please feel free to visit our website at www.327solutions.com and give us a call. 

What to schedule a meeting with a performance consultant? Click below for automated scheduling. 

https://327solutions.youcanbook.me