Security is only as good as your weakest link

There is a saying “a chain is only as strong as its weakest link”, so too does it apply to data security.  Today’s IT managers are spending a majority of their budget on data security, it seems they are buying more and getting less, in fact I believe it is lulling them into this false sense of security (pun is intended) that their infrastructure is safe from risk.  To add to this perceived protective bubble, there are policies, frameworks, procedures, governance and other ways to keep a company secure that can consume enormous amounts of time and money.  There are even entire sections of companies dedicated to data security.  What does all of that time, effort and money get you?  Well, maybe it makes you sleep a little better at night, thinking your company is well protected.  Sorry to cause potential nightmares here, but the reality is, and most data security experts would agree, you are never 100% secure! 

Now why would I say this? 

You have most likely spent a tremendous amount of money, time, and energy on security products, services and software, so why wouldn’t you be secure?  Why would I want to ruin that great night’s sleep for you?  Well, I’ll tell you, because the same rules apply here as they do to a weak link in a chain.  All it takes is one person to burst the bubble.  A majority of all “major” attacks that exist today are due to a single mistake by a single person using Social engineering, a bad password, opening an email virus or something similar.  I believe the weakest link in the data security chain is, and always will be, “human error”.

Think about that person(s) that is probably the least digitally savvy in your organization.  You have diligently locked down their permissions, their access and have made every attempt to stop them from doing any possible damage, but yet still be able to do their job.  So, you now think you are safe from what that one person may be able to do by accident to your organization? 

I have bad news, you are never safe!

Did you read recently that the employee’s directory of Homeland Security as well as Department of Defense were just hacked and released to the public? This was tracked down to a cause of social engineering.

This is the latest but yet just one of the many examples of the damage that a “regular” user can do.  This “user”, without any advanced privileges or access can still do catastrophic damage. 

Additionally, you also have to consider past the first step of a possible attack.  The hardest part of a hacker’s task is to get in the front door, the rest is easier.  Once they have the access to a user’s account (any user), they have gotten past all those sophisticated security systems you have purchased and worked so hard to implement, they are now on the “inside”.  No policy or procedure will stop them, it’s too late.

I am not trying to diminish the value of all of these advanced security tools that exist in the world today, because they certainly do help.  The point I am rendering is that you are never really “secure” due to the “human” factor.  A good hacker will always find a way in and more often than not, it is through a person that just doesn’t know any better.  If you look at one the most famous hackers of our day, Kevin Mitnick, most of his successful hacks involved some form of social engineering.  I watched a special on him years ago, when he convinced a high level security professional to give out his password over the phone.  He had a way with people and had the uncanny ability to gain their trust.

So what do I suggest you to do about this?

The obvious answer is training.  Train your people, train your staff, and train the executives.

BUT … as we know, that is not always possible or even realistic.

The most uneducated person regarding technology will probably not listen or perhaps may just not understand the training.  I want to bring this to your attention because it is rarely thought about when administering training classes on security. The instructors seem to take it for granted that most, if not all users are technically savvy or even competent and thus train at that level.  I know recently when I sent an internal email about a new virus and vulnerability to my own company some people did not even bother to read the email.  They either don’t see it as important to their job or they just don’t feel it is worth their time to read.  Either way it gets missed or dismissed.  You can take all avenues of precautions and make every effort to present and educate all the data to all your users, but that doesn’t mean they will read it, understand it or adhere to it.

This is where it gets problematic, how do you protect your organization from this huge unknown?  We have tried throughout the years to protect users from themselves by locking them down and building the tools but, at the end of the day they are still “users” and not security professionals. 

Understanding the war that is going on between security professionals and hackers is an good first step.  As soon as a security product is released, a hacker’s mission is to find a way around it.  There remains one simple truth to life “there is always someone smarter than you,” and this certainly applies directly to data security and to those naive people who think they have built a tool that cannot be circumvented … the mere thought of an un-hackable tool is a losing proposition.  

We are all doing a decent job keeping our networks secure or at least believe we are, but how can we really be sure nothing bad will happen?

It is possible that you can even give employees a simple test to ensure they have the basics down of what is acceptable before hiring them but that would slow down a hiring process that already seems to barely be crawling along.  Having this basic knowledge can help greatly but there is no silver bullet for security, at least not yet!  Mistakes do happen. 

As always I welcome a healthy conversation on the topic below from our community to share their experiences and their thoughts.