An article published in Infosecurity Magazine in 2016 reported
that as many as 22,000 USBs are left at dry cleaners every year. Even worse, some 973 mobile phones
are also absentmindedly left behind in pockets and handed in, the study found. For
the past several years, security has been the #1 topic of interest to our
audience at our technology conference, for good reason. There is plenty of research to back up the theory
that human error is easily the largest cause for data breaches. So are we
shocked to hear that this many USBs and mobile phones are left at dry cleaners?
The same article reported that devices were only returned to their rightful
owners 45% of the time.
Kevin Mitnick, a notorious hacker of the
1980s and 1990s once said during an interview, “The lethal combination is when
you exploit both people and technology. What I found personally to be true was
that it's easier to manipulate people rather than technology. Most of the time,
organizations overlook that human element."
So we all know that "to err is human," and that certainly is not
going to change. Ten years ago, paper records that were improperly discarded had
much less impact on data security than digital data today. A lost cellphone a decade ago
meant someone might make calls and use up the minutes on the account. Today, a misplaced
smart phone could post a serious data breach. Massive digitization of
information, mobile use, and system integration can potentially expose millions
of people’s data to hackers and the harm they cause.
Napier University Professor William
Buchanan lists the top three threats in computer security as “people, people
and people.” He mentions leaving devices
unattended, sharing passwords, or accidentally emailing information to the wrong
people as typical security errors. He indicates that many of the breaches from
cyber attacks are also traceable back to users unwittingly giving bad actors
access to networks. Ten years ago phone
scams were where the bad actors would get information and money from people,
today they are much more sophisticated . . . and effective.
The easiest way to conduct a successful
cyber-theft seems to be tricking people. This can be done via phishing schemes,
spoofed websites asking for credentials, malicious apps with embedded malware,
etc. Sharing personal information for whatever reason, gives hackers the
foothold they need to exploit system vulnerabilities once they are “in.”
In October of 2015, Palo
Alto Network reported that more than 40% of all email attachments were
found to be malicious. They also found that the average time to weaponize a world
event to be 6 hours. The implications of this are that immediately following an
earthquake or other world event, your well-intentioned staff members might
attempt to donate to a relief fund. By using their credentials to do this, they
are potentially providing information that can lead to a data breach.
recommends the following best practices to prevent a data breach and reduce
costs in the event of one:
employees and train them on how to handle confidential information.
loss prevention technology to find sensitive data and protect it from leaving
encryption and strong authentication solutions.
an incident response plan including proper steps for notification of
Even with a great training program in
place to educate your employees of attacks and to learn best practices,
mistakes will still be made. The best you can do is to continue to educate and provide
information about current attacks and how to handle them. Additionally,
monitoring for security incidents and having plans (and the teams to implement
them) in place for when a security breach occurs are critically important.