National Post (National Edition)
People remain data’s biggest security risk — but training can help
The purpose of any effective network data security system is to identify, repel and defeat known security threats. That’s why so many cyber attacks are aimed squarely at humans, who may unwittingly be helping bad actors hack their company networks. However, as cyber threats evolve and become more sophisticated, employees can evolve to recognize them — as long as they’re provided with the right training, says Joseph Khunaysir, chief technology officer with Canadian IT service provider Jolera Inc. “To identify the types of security threats they might encounter, people need to be on their guard 24/7,” he says. “But it’s difficult for people to maintain a consistent air of suspicion. Training helps to make recognition of security threats second nature for them.” Many cyber-criminal come-ons are classic — for example, a demand to log into a password-protected account on a malicious site that looks exactly like the real one, an invitation to download a software update they weren’t expecting, or a request to review a purchase order that the e-mail recipient doesn’t recognize. Others are more subtle. Opening a spreadsheet might unleash malware that gradually worms its way into the system, examining and copying data files. Perhaps it’s laying the groundwork for ransomware — encrypting all company data until a ransom has been paid. “We’re even seeing phone calls to employees asking them about the company and people who work there,” says Khunaysir. “They might pretend to be possible clients looking for more information.” He notes that cyber criminals manage their operations like a factory. They use dark web operations to build up profiles of organizations and people within those organizations on an assembly line, one piece at a time. They then rank the weakest links inside the company and sell these information packages to the highest bidder. “A customer we worked with was tricked into sending more than $100,000 in wire transfer funds overseas,” says Khunaysir. “Another sent equipment based on a recognized client’s purchase order to the wrong location, where criminals signed for it and stole it.” In other cases, bad actors assume the identity of a company manager, casually emailing other workers, collecting additional information and ultimately using that information to defraud the company. Security training begins with simple things, like teaching employees to create effective passwords and change them often. “A lot of people use the same PINS and passwords on every site, and if a cybercriminal hacks the company website they’ll extract those user names and passwords and apply them to accounts all across the web,” says Khunaysir. Recognizing suspicious online activity, deceptive emails and unusually inquisitive phone calls takes a little more savvy. “The first thing they need to ask themselves is why the information is being requested in the first place,” Khunaysir says. “Be logical. Does the request make sense? Who is asking for it? If I’m looking at a web page or email that’s asking me for passwords, approvals, SINS or user names, or instructing me to download something, what does the web address say? Often, it’s close to the real thing with only a single character out of place.” Ignore, delete, don’t forward, he advises. If you’re not sure, don’t do it. If you’ve already done it, report it immediately to the IT department or to the service you’ve contracted to provide data security. “Embarrassment is not an option,” says Khunaysir. “If you’ve allowed bad actors to access your system, it may not be too late to stop what’s been started. They need to be taught that the longer they wait, the worse it can get.” An attack can lie dormant for weeks as criminals browse and scope out data files and servers before making their move. Called quickly, a capable security expert can look at the computer, the links, the emails, the browsing history and the click-backs to determine whether any damage has been done. “If someone has gotten in, a security team can do something about it before they have to respond to a full-blown attack,” says Khunaysir. Network security companies are developing the technical capability to instantly update the protective algorithms on many devices simultaneously across a network. “Humans aren’t quite so efficient,” says Khunaysir. “Training requires time and effort during a busy workday, but companies should make a commitment to regular cyber security training and refresher updates. We’re battling ever more sophisticated criminals but with proper training and regular updates, empowered workers are becoming more sophisticated as well.”