Organisations seem to sit in three categories when it comes to information security. The smallest of these categories is the one where the company has a firm grasp on security. They are aware of the risks and devastation a breach could cost them, they have identified a need for training and education of staff and take it very seriously. The second largest category is the ones that don’t have a budget for information security. They either have an IT team or outsource their IT as they appreciate that with out functioning IT their business doesn’t run, but they don’t allocate any budget to protecting their infrastructure, data and customers from threats. What they don’t seem to realise is by not investing in information security they will suffer significant costs, loss of earnings and potential loss of the business. Finally we have the largest category which is the ones who invest in information security to tick a box.
Don’t get me wrong the companies that don’t have a budget are without a doubt in the largest amount of trouble and because they haven’t suffered an attack or breach yet certainly doesn’t mean they won’t. They really need to up their game, take security seriously and do something about the problem. But arguably the category where they tick a box is in equally a bad situation. The first set of companies know they don’t have a defense and maybe more alert due to that fact. However the second category believe they are safe, they are lulled into a false sense of security, literally.
So what do companies do to protect themselves? Well they purchase firewalls, IPS and IDS devices, they deploy anti-virus software to their servers and desktops. If you go into a server room or data centre belonging do one of these business’s you would be forgiven for thinking you were in a high tech Hollywood film. The flashing lights, sophisticated bio-metric locks, CCTV and physical security guards make the digital assets of the company seem very secure.
The issue with this is whilst a company keeps it’s security software and hardware current and up to date this isn’t the end of the problem. This is great, and really does provide a line of defense against attacks. It is miles better to put something in the way of a manual or automated attack, something in the way of malware being delivered via email or website browsing. However what if someone is persistent, now your business may not be a large corporation, one with a lot of media attention and one that attracts the interest of a hacker. But let’s say that your website is hosted on a shared hosting platform, you are hosted on the same server as a much bigger target of the hacker. If you have a way in they will trample all over you and your website to get to their victim. You as a result suffer from loss of reputation, potential financial loss and stand to lose a lot more.
Lets look from another angle, a threat that faces every business every day of the week. One which most of us feel we are savy enough to defend against and one that would be spotted straight away. Social engineering. This is hacking the human, unfortunately your weakest area of security in your organisation tends to be your employees, this isn’t even counting disgruntled ones or ones which are subject to bribery.
Let’s look at a scenario that a good friend of mine played out in an ethical social engineering attack against a large financial institution based in London. He was hired by the financial institution to conduct a social engineering test whereby the remit was to get into the business and access the server room, this was to be done without causing any distress or physical damage. First of all he had time on his hands, the client was happy to wait, this is a consultant with time on their hands. Imagine how much time a malicious social engineer has on their hands to wait and monitor the situation to find the weakness in your company and it’s employees. Upon observing the company for several weeks he noticed that every Friday at lunch time they got a delivery from Domino’s pizza. As an employee entered the building they had to present an access card to a reader, then get checked by a security guard. The domino’s employee had none of these checks as he was a visitor that they knew had a purpose and waived him in and through security every week. Off he wandered and delivered his pizza’s around the building, as he did every Friday. So my friend decided he would go and get a job at a Domino’s take away, stayed a few days to get some pizza boxes and a uniform. Next Friday he turned up half an hour earlier than usual. He was waived in as normal, due to knowing the script and what happened he just acted confident and made his way into the building.
Once inside he made his way around the building with a pizza box full of hacking tools, including some smart water and a UV torch. He found the server room cleaned the combination lock on the door and sprayed it with smart water. He then waited for a while, after a short time someone operated the lock and walked off. He shone his UV torch onto the lock to work out which keys had been pressed, with these sort of locks the order the keys are pressed is irrelevant. In he went, took some pictures and left. This was the end of the social engineering test for the client. However had he not been ethical and consulting for the business the result could have been catastrophic. There could have been loss of data, data manipulation, if the story got into the media a lack of trust and reputation for the business, stock prices could drop.
Instead what happened was a debrief pointing out flaws in the physical security of the business. Staff were re-trained and it made for a much safer environment for the business in question. The threat landscape is evolving daily, physical and information security is changing and without proper awareness training for all of your staff your business is wide open. If you are in the category that has no security or buys into objects with flashing lights have a think. What would be the cost or consequence to your business should someone breach the physical or information security that you have in place. The damage to your reputation, to your finances, to your data, could your business survive the attack? I think most businesses would be surprised to learn that after a data breach most businesses fail within the next 12 months.
Please don’t become a statistic, take security seriously and start to look at awareness training for your staff, from receptionist to CEO it is important for everyone. Anyone who is employed or affiliated with your business potentially puts it at risk daily. We can help, Hexode Security Solutions, provide bespoke awareness training packages for you and your business, get in touch here to find out more.