Along with good IT security solutions, human vulnerabilities need to be patched, to prevent them from being the weakest link in a company's IT security chain.
So said David Emm, senior security researcher in Kaspersky Lab's global research and analysis team, speaking at the IDC Security Roadshow, held in Sandton this week. “Cyber crime is not only a product of the Internet-age, but of the wider crime landscape as a whole.
“Like crime in general, there's no quick-fix; unfortunately it's here to stay,” said Emm. “We have to focus on mitigating the risks, through legislation and law enforcement, technology and education.”
According to Emm, cyber criminals use methods that exploit vulnerabilities in the human psyche to spread malware and steal personal data. “Cyber criminals are increasingly targeting social networking sites such as Facebook, MySpace, LinkedIn, Twitter and suchlike, due to the rapidly growing number of people that use them.
“Cyber criminals are like pickpockets,” said Emm. “They go where the crowds are.”
He noted these criminals use social engineering to trick people into doing something they shouldn't, such as disclosing personal information, clicking on a harmful link, or opening a file containing malicious software.
“With social engineering, the bait on the hook keeps changing. People have all kinds of susceptibilities and will fall foul of scams such as, 'Naked pictures of ...', 'the truth about Michael Jackson', 'free video download of ...', and similar. They also cut corners by using weak passwords, and using the same password for too many sites.
“People are also inclined to share far more personal information over social networking sites than they would ever dream of disclosing in person. It's almost as if they feel buffered by the Internet.”
People, according to Emm, are the weakest link in any security system and educating the user in security best practice needs to be an integral part of any effective IT strategy. “Security is not only a technical issue, but an HR one. A policy cannot be considered effective if it fails to address the human factor, and who better to do this but the people employed to deal with employees - the HR department.”
A security strategy will be far more effective if it is understood and supported by employees. “The strategy should be seen within an overall human resources context. Staff should be told in plain, easy to understand language, the nature of the threat. They need to know what means of protection the company has employed, and why, and how these may affect them in carrying out their daily work,” he explained.
"It also ensures that staff - who are increasingly working from home these days - are not exposing business resources to unnecessary risks", he added.
Education is a key building block in the corporate security strategy, said Emm. “Assess the risks, establish policies and procedures, and create an outbreak response plan. Deploy appropriate security solutions, define the update and patch strategy, and document the security policy. The policy should also be regularly reviewed.”
Finally, to stay safe online, Emm advised users to install Internet security software and keep it updated, and install operating system and application patches. In addition, he urged users to backup data regularly, and follow several common-sense procedures. “Don't respond to unsolicited e-mail messages, or click on e-mail attachments and links. Don't disclose personal information, and only shop, bank or socialise using secure Web sites.”
Share
