What’s the Weakest Link in Security?

We already know that we need internet security: a Firewall, an anti-malware program, a web filter, a SPAM filter, and a monitoring system.

So, why do some companies that have all of these systems in place STILL get hit with a malware attack?

Simple. Because someone in the company clicked on something they were not supposed to.

It all comes down to people. We are the weakest link. More often than not, we don’t mean to be, but when we receive a seemingly legitimate email or see an appealing advertisement, it’s easy to forget why we need internet security in the first place.

Recently, I read about a law firm that was being “tested” by a cyber security risk evaluation company.

Here’s the test:

An analyst called the law firm tech support center, posing as one of the firm partners, and asked for help installing a piece of software insisting it was mission critical. He claimed that his password wasn’t letting him install it.

In response, the tech support employee offered his own password to help, which also happened to be the top-level administrator password. This decision goes completely against every procedure of I.T. wellness an I.T. company should employ.

This “breach” of getting top-level admin access took only a matter of minutes and only one phone call.

What does this show us?

No matter what rules we have in place, they can be broken, especially under pressure. As a business, we always want the customer to be satisfied, so if they are insisting that we break standard procedures, our judgment may start to waiver.

In other words, no matter what technical solutions we employ, they can always be circumvented by people.

So, what does this mean? Should we just give up on security altogether?

No. Education about security can greatly reduce the likelihood of a breach.

In the case of the law firm, for example, both the technician AND the partners needed to learn. The technician needed to learn that handing out his password over the phone is not allowed, no matter who asks. The partners needed to learn that giving undue pressure on employees to break the rule subverts the whole point of security.

What are your next steps?

Your first priority is to ensure that the I.T. company you employ is properly educated, and then your next step is to educate your employees. Do they understand I.T. security? Can they identify potential malware or when hacking may be occurring?

Consider getting some really solid training on security for your staff. Humans are the weakest link, and education and training are the solution.