If there's one thing the big security breaches of the past few years have taught us, it's that employees are just as critical to network security as the technology.
Organisations often overlook the human fallibility factor and don't train or engage their workforce in helping protect their sensitive information. This is the case despite heavy investment being made in the deployment of point products used to guard corporate networks when, in fact, combating a wide range of security threats requires a strong combination of technology and user awareness.
Hacking techniques that focus on exploiting employees, such as social engineering, are certainly on the rise. Nearly half of UK enterprises have been the victim of 25 or more such attacks in the past two years, with ‘spear phishing' via email and social networks being the most common attack vectors. At an average cost of £15,000 per incident, this is a threat businesses can ill-afford to ignore.
Driving this trend are two main factors. First, for many UK employers, there is a lack of policy guidelines or employee training programmes in place. Second, there has been a rise in the number of social media platforms now available.
Each provides a wealth of on-tap information about individuals and the organisations they are employed by. With this information, hackers create profiles on people, customising target attacks to create new entry points into an organisation and increasing the likelihood an attack will succeed.
Once inside, the hacker can use a series of tools to work their way up the food chain to board-level staff, giving them unrestricted access to commercially sensitive data.
Organisations' employees are a critical part of the security process as they can be misled by criminals or make errors that lead to malware infections or unintentional data loss. Far too many businesses do not pay enough attention to the involvement of users when, in fact, they should be the first line of defence.
To achieve the level of protection needed in today's IT environment, security needs to grow beyond a collection of disparate technologies and instead be considered as a business process with users at its core. Ongoing training, coupled with a clearly defined security policy that's well communicated, is critical to the education process.
Regular engagement with users will help raise awareness and create a more vigilant workforce. Increasing the knowledge of threats such as spear phishing will empower staff, enabling them to prevent and remediate security incidents in real time.
Terry Greer-King is UK managing director of Check Point