Ingeniero SR de seguridad de Ikusi Redes
The role of the end-user in the security of companies
A month ago we witnessed the biggest cyberattack ever in the modern era: Randsomware Wanna Crypt,which created big havocs worldwide. But where actually did everything originate from? To give an answer to such question, let's imagine the following story:
On a Friday at the office, an employee absentmindedly watches his e-mails while he drinks his first coffee of the day; suddenly an e-mail from a unrecognized sender promising "interesting" photos, draws his attention, and without hesitation, the employee starts to download the photos.
Suddenly, his wallpaper changes, he realizes that something wrong is going on. On the screen a huge sign appears warning that his information has been "hijacked" and clearly threating that in case of a failure to pay a ransom, before the clock shown on the screen ends its count, he will never be able to retrieve such information.
Unfortunately this is not an isolated case. In the course of the technological development of the last decade, it has been observed that the new techniques and threats are mainly directed to end-users. Many users have fallen into scams through phishing emails, spam and social engineering and have been victims of some type of fraud and even identity
According to CONDUSEF, statistics, this type of illegal acts have skyrocketed by 45%, and in the banking sector have increased by 72%. It has been also pointed out that during the third quarter of 2015 and in the same period of 2016, the number of complaints for this type of attacks increased from 2.7 million to 3.9 million pesos.
To date, many companies, until they suffer an attack or leak of information, still do not accept that spending on security is a basic company’s need. There are cases that are a clear example of that, such as Target Stores, which in 2013 suffered a theft of 40 million credit card numbers.
Such incident succeeded since the attackers were able to install a malware on one of the payment system's servers, by using the credentials of a Target contractor. Although company's security systems triggered alerts while the information was getting extracted, none of the security staff had the sensitivity to verify.
Such omission caused losses of profits on the stock exchange, the departure of the CEO Gregg Steinhafel, the complete reorganization of the security scheme and a fine of 18.9 million dollars.
Which role does the end-user play in all this?
Kevin Mitnick, one of the biggest personality in the security industry, commented that "corporations spend millions of dollars on firewalls and security devices, however this represents a waste of money since none of such measures covers the weakest link in the security chain: the people who use and manage computers".
In our first story we talked about a normal user, with no training beyond what his daily functions require. In the second example, the subject becomes more interesting and shows us that, despite being a technologically trained user, it ends up falling into vices able to unleash millionaire losses.
Endless questions arise around this, but the conclusion is only one: the sense of security was not present in either case.
Think about how many times we provided our information under the promise of a reward, ranging from tickets for free, "interesting" photos or videos of a celebrity, to the promise of an inheritance of dubious origins, as occurred a few years ago with the famous "Nigerian scam". Now let's think about how many times we did it through our job contact.
Corporations are the increasingly frequent target of cyberattacks seeking million dollars profits. That’s why it will be always important the users’ care, since users represent the most vulnerable part of a security system, since they are the ones who manage the information generating incomes. For that reason they must keep it clear that the threats will be always dormant and the right information, will be able to avoid them, even at home.
That's why hereinafter we now share the basic security tips for the end-user:
- Companies must educate each employee through awareness campaigns, with courses given by the most trained and specialized personnel in security matters.
- All users must have sensitivity and be responsible for their information, both work and personal. We cannot allow someone else's access to our or our families’ sensitive information.
- Generate awareness that there are people seeking benefits from our information and to avoid, as far as possible, sharing personal and work information, including photos, on social networks such as surveys, documents, workplaces, etc.
- We must be suspicious of any unknown contact trying to contact us by mail or social networks; including by phone calls inside and outside the workplace. We must put aside our curiosity and ask ourselves "why someone is trying to get in touch with us?".
- Know how to classify our information, by identifying which is confidential and which may be public and above all, be very careful of where and with whom we share the same.