Is nothing sacred anymore…or at least secure? Good question.
And it’s one that’s been top of mind for IT professionals around the world, as the global nature of commerce keeps expanding. They have to think strategically — and fast.
Inadvertent data leaks and deliberate thefts of sensitive personal and high-value business information are rampant. Massive databases of personally identifiable information that people voluntarily provide online for limited purposes have been captured, sold, and appropriated for unsolicited and often illegal uses. Incidents of data abuse have become so frequent that unless a breach is in the nine or ten figure range for stolen files, it doesn’t even make the evening news anymore.
There are frequently new data breaches — affecting so many institutions in every industry — that despite solemn assurances from data custodians that customer privacy is their top priority, an almost fatalistic outlook that nothing will remain private or secure for very long, has become widespread. And with digital transformation now underway in practically every organisation, avoiding exposure to technology and its associated risks has become nearly impossible.
One result has been a growing public irritation with security measures, despite forceful admonitions by IT staff professionals. According to SplashData, which analyses hacked files, the two most popular passwords in 2018 were “123456” and “password,” both of which have been among users’ top choices for the past 15 years. Remembering multiple passwords that include a complex mix of characters, numbers, and symbols — and then changing them regularly — is a task that most people find difficult and annoying. So, they either ignore the warnings or write their passwords down and keep them within two feet of their computer — clearly not a best practice for password security. It essentially hands over network keys to anyone passing your desk.
But desktop security is also an issue where technology can help; biometric password authentications are a definite improvement. After all, it’s hard to replicate someone’s face or fingerprints. However, most systems also provide a simple numeric PIN alternative when biometrics are unrecognisable. And people are just as reluctant to change their PIN as they are their passwords. So opportunities for unauthorised access are still widely available.
Old-fashioned face-to-face conversations still tend to be secure — if only because capturing and transmitting them without participant awareness is difficult. The close proximity that allowed for that sort of personal communication was the foundation of traditional office layouts. Although eavesdropping and stealing documents were always possible, they were never routine. That’s changed.
With today’s increasingly distributed workforce, employee interactions tend to be mediated by electronic means: conference calls, emails, and other forms of remote connectivity between home-based workers, headquarter offices, remote business outposts, and customer or vendor locations. They are carried over an assortment of networks, most of which are owned and managed by third parties – parties whose security policies are generally opaque to their users — typically office personnel who have other, more urgent organisational business to take care of. And each of those networks provides various forms of access. If an unwelcome visitor is able to enter one, it can give access to far more than just the unwitting participants whose communication was hacked. As a result, providers of remote connectivity solutions as well as local IT specialists, need to be especially vigilant about potential network gaps.
Technological holes in a network, however, are not the primary source of security vulnerabilities. People are. The flip side of any culture that emphasises trust, courtesy and mutual respect as foundations of social interaction – values that are central to most civilisations – is that bad actors can exploit them as weaknesses. Misleading people who have proper authorisation into sharing sensitive information that provides network access, is central to the hacker’s strategy.
Deceptive messages — often masquerading as coming from a business partner or other trusted source – are commonly used to dupe people into providing information that gives the sender access to the recipient’s network. That includes mimicking the appearance and credibility of the user’s own help desk, connection service, or software provider to con users into giving out essential access codes. While there are frequently signs of a message’s origins embedded in the sender’s spoofed email address, they are easily overlooked.
That can be addressed, at least to some extent, by security awareness training. An organisation’s own IT department can periodically send out spoofed emails to see who responds and in what level of detail to help identify employees who could benefit from additional instruction. Prizes or other forms of recognition can be given to people who identify and respond appropriately to the mock attackers. In other words, it may be possible to make security fun rather than burdensome — it just takes a little creativity.
At the same time, however, phishing, spoofing, and other forms of malicious email scams are not the only social engineering tools a hacker can use. The arsenal of malware keeps growing in sophistication just as the systems they target keep evolving. Some malevolent players are very astute in using the technology. Others can buy hacking tools — some of which were themselves stolen from government agencies — on the dark web. And many other forms of breaking into secure networks by taking advantage of the generous and trusting nature of unsuspecting people have also been used to attack institutions.
That said, however, even with an army of determined adversaries, the battle to maintain network integrity is critically important. It may never be fully won, and at least some of the information that people and institutions value highly will, in time, become compromised. But there are many equally determined and highly skilled allies, including the vendors of remote connectivity solutions, who are dedicated to building platforms with security integral to their design.
In the end, it’s a shared responsibility; you and your co-workers all have a role to play. But the security specialists’ ability to deter, delay, and otherwise push back attacks on time-sensitive information can mean that even in a worst case scenario, the damage will be limited as the stolen data grows out of date.
Gautam Goswami, Chief Marketing Officer, TeamViewer