The Forgotten Line of Defense: The People

From the beginning hackers have been known for their skills of breaking into computers and networks. They applied different techniques and methodologies in order to break into corporate systems or personal computers.

In order to mitigate the risks and threats posed by these hackers, organisations have adopted different techniques to secure their IT infrastructures. Such controls have been applied at different levels of the architecture which include:

• Network Security
• Application and Data Security
• Hardware Security
• Physical Security

At the same time, threats and vulnerabilities are also being developed by the hackers or bad guys at the speed of thought and time. It’s as if there is a battle going on between the bad guys, security vendors and the business organisations. The security vendors and business organisations are doing their best to develop solutions, while at the same exponential speed the hackers are working to counter these efforts by building more and more botnets and capturing more zombies.

Hacking or its related acts have become a big industry and its costing organisations millions of dollars and reputation of course. Because of this, the industry has attracted some of the greatest minds, who so far are way ahead of most of the security professionals employed in the formal businesses. The bad guys also seem to have time and resources on their hands unlike in business where some senior managers don’t even drop a dime to invest in security.

Let’s look at the basics of penetrating into a system. In order to penetrate into any network/computer system you need to follow a few steps which include: planning the attack strategy, gathering target information, Enumeration, gaining access, maintaining access and covering your tracks.

Thus in order for an attacker to be successful they have to go through several defence layers at the network, application, data and physical layers. Yes, the attackers have the skills and tools to break these various layers but success is not always guaranteed. As a result Attackers have to look at some of the easiest ways to break into systems especially by exploiting the weakest link.

Organisations have invested in what is generally called defence in-depth or resilient security architectures at the various layers. However, there is a very crucial layer of security that most or all organisations are failing to invest in fully. It’s called the People Layer.

In my view little is being done to educate users, workers, contractors and other service providers about the various security risks. Organisations are also failing to enforce the right policies to ensure that users and staff members are mandated by policy to play a role in protecting the organisation’s critical information assets, after all security is everyone’s responsibility.

An organisation may implement defence in depth but without a knowledgeable workforce or staff, the attackers will always find their way. As a rule of thumb, “security is only as strong as the weakest link”.

Because of the poor security controls around the People Layer, attackers don’t need to worry themselves to break the network, data, application and physical layers….They just need to fool anyone in the organisation to either click on a link, open an attachment or give them a call and ask them for details (passwords etc) and whoosh their lives become so easy.

Due to the rise of  social media and the wide use of the internet, attackers have devised various social engineering, phishing and other types of methods to fool naïve users.

It’s our nature as beings to be receptive and we are psychologically enticed by nice things such as images, videos, love stories, get rich quickly fantasy staff etc….but its time we shift psychologically.

Finally, Its time organisations invest in security awareness training and ensure that their staff base is well trained, educated and continuously receive awareness about threats and vulnerabilities.

The People Layer is vital and its time we see a shift if we are to fully realise total defence in depth.

Users should be trained on the basics of internet security, phishing, social engineering, malware, email security, social media risks, corporate phone use security, use of antivirus, reporting security breaches etc.

An educated workforce adds an extra layer of security and makes it tougher for the attackers to break into the other layers of security mentioned above.

As IT professional you need to educate the users and implement a viable security awareness training program and give the security power to the People Layer. The awareness training program should target all users from senior management, IT staff and general workforce.