The Problem: One day earlier this year 102 employees at the Internal Revenue Service received calls from a group of people posing as helpdesk personal. The callers explained they were working on a network problem and asked the IRS staff to provide their usernames and to change their passwords to ones suggested by the callers. Sixty one employees complied. The network and its data were compromised. The IRS was successfully hacked.
The Solution: The above hacker tactic is called social engineering. It’s typically done just like that: over the phone and under the guise of ‘IT working on a network problem.’ The con works well. In the interest of being helpful, the unwitting employee is manipulated into revealing critical information and the network is ultimately breached. A three minute phone call could torpedo your best computer security efforts.
Network security is everyone’s responsibility. For the company, a single network intrusion could mean the loss of valuable proprietary information, massive public embarrassment and even significant legal exposure. To help mitigate the risk, every person on your team should be challenged to be more vigilant. By raising the level of awareness on the front lines, organizations are better able to intercept threats before they cause real damage.
Your company’s security begins at the top. Management must consider it a priority. Here are the seven top management errors that lead to computer security problems:
#7 The Ostrich: Ignore it. Pretend it will go away.
#6 The Quick Fix: React. Do the band-aid fix. Neglect the core problem.
#5 The Undervaluer: Underestimate how much your data and reputation is worth
#4 The One-Gun Cowboy: Equate security to firewall. Big mistake.
#3 The Wham-Bam-Thank-You-Ma'am: No operational follow through to ensure problems stay fixed.
#2 The Old School Guy: Understands physical security but does not ‘get’ the importance of computer security.
#1 The Dangerous Delegate: Give the responsibility of computer security to an unqualified person. No tools, no experience, no training.
Over the next few months, we will take a closer look at some actual cases of security breaches in local Hawaii businesses. We hope that these studies will raise the level of awareness for computer security. Additionally, we will provide:
1. Network Threat Assessments for companies wanting to know exactly where and how their networks are vulnerable.
2. Security Awareness Training for employees needing a better understanding of common but unsafe computing habits.
3. Hacking Boot Camp for Managers (Nov 16-22, 2007) so executives can see, via hands-on instruction, how attacks are done and how they can be prevented.
The goal is to offer insight into the world of computer security so those decision makers can return to their offices and ask the right questions of their IT staff. If you need help or simply want more information, please call me at 808.942.0773 or email me at
help@supergeeks.net.
James Kerr is Chief Geek at SuperGeeks, a Hawaii-based computer consulting company offering outsourced IT services. Visit them on the web at
www.SuperGeeks.net.
