You are walking across the lobby of your office and you see a USB memory stick lying on the floor. Someone must have dropped it. Being a Good Samaritan you stop to pick it up and take it to your desk. Now, how do you identify who it belongs too? You plug it into your computer of course and open the file on it.
Don’t laugh – in a recent experiment as part of a study run by the CompTIA 200 USB sticks were left on the ground in public spaces, almost 1 in 5 individuals, or 17%, did just that. These were not all just unsophisticated users. At the San Francisco International Airport, for instance, a number of IT industry workers found and plugged in the sticks. In fact, a security office located within a multinational corporation’s office building also found a stick and emailed the alias address. In their emails, a handful of respondents asked if the USB had a virus on it.
What is going on here? While information technology professionals have been worrying about the security of the cloud your employees turn out to be the greatest risk. As we now understand the public cloud is more secure than your data center. However, employees report that only 42% receive formal cyber security training.
Think about it. As we grew up our teachers and parents embedded in us security sensibilities for the physical world: “look both ways before crossing the street”, “don’t talk to strangers”, “don’t leave your wallet or purse unattended”, and so on. Where is that kind of training for the virtual world, today? Does your school system or your company teach basic IT security hygiene? Where do you learn what a phishing attack looks like and not to click on the embedded link (The Sony Pictures and OPM attacks)? How about learning not to plug unknown USB sticks into your computer (Stuxnet attack)?
Nope! If we get any training at all, we get boring computer based training on corporate IT security policies and are lulled in a sense of security by having anti-virus software on our laptops. While your security pros are worried about firewalls and back doors to your systems the hackers are strolling in the front door.
Human factors present one of the biggest security challenges for companies running across any IT system, not just cloud platforms. People have different levels of system access, but whether they are working in an IT department, are non-IT employees or customers, each play a critical role in maintaining or damaging system security.
Fortunately, there is a straightforward fix to this. Gartner has just published a report listing a number of firms that are providing employee security training and evaluations. But like any self-improvement effort, you need to do it and repeat it until it becomes a new part of you. Want some motivation?
“There are two kinds of companies in the world: those that know they’ve been hacked, and those that have been hacked and don’t yet know it.” Fortune, March 2015
Do yourself a favor and strengthen that weak link with some cost effective and low risk employee training.