Focus your IT security
A recent USA IT security conference attended by professionals throughout the world focused on the existing and future challenges facing organisations. Top of the list were three major areas – phishing and social engineering schemes, accidental data leaks by end users and specific targeting of organisations data for commercial or political reasons.
Surprisingly, they also found that within their organisations, more money was spent and more resources allocated to areas of lesser importance with these major concerns demoted as a result. The areas of greatest resource allocation were in the areas of internal mistakes or security vulnerabilities generated by purchasing off the shelf packages, or caused by the internal technology support teams.
Phishing is defined by Wikipedia as an attempt to acquire sensitive information often for malicious reasons by masquerading as a legal and trustworthy entity. This usually takes the form of instant messaging or emails purporting to be from social websites including Twitter and Facebook, banks or online payment organisations or even large organisation such as Microsoft or Apple.
Usually victims are duped into entering the personal and confidential information into fake websites – many of which are also infected with malware. As a savvy IT user, you must also be aware that the simple clicking of an attached link can infect your machine with malware. Phishing is only one of a number of social engineering techniques.
Social engineering seeks to build trust with a user to gain access to their confidential data for malicious purposes. I am sure most of you have received phishing mails or messages on a number of issues – most commonly from courier companies advising that there is a parcel with millions of dollars that they are holding for you, or even more recently from companies advising that an attempt was made to perpetrate a fraud on you and this has been intercepted by them.
Once you have got in touch – these entities can then then start building trust with you using social engineering techniques.
This type of security risk targets users within organisations. Organisations should, therefore, focus resources more on regular skilling up of their users to recognise and report such attempts, and of course – by the supported introduction of an up to date User IT Policy – which should form an essential part of any employee contract.
This should mop up any accidental security risks the organisation faces, and reduce the second area of concern – which is accidental data leaks by users. This last can be controlled by an established group policy that is applied to all user devices and traffic – both Microsoft and Kaspersky have very efficient suites of tools that include these controls.
Specific targeting of organisations require stringent security firewalls and procedures to minimise external risk. There is a wide raft of both hardware and software security solutions available on the market – choose a tried and tested product – check the client references on your choices – but most importantly – ensure that you either use a qualified supplier to deploy, or ensure your internal staff are skilled in these products.
As a certified Kaspersky solution provider, we frequently encounter Malawi clients who have bought this product and run it incorrectly – leading to their installation remaining insecure. Security solutions are just that – solutions. They are not just products that can be plugged in and work immediately. Risk mitigation requires an understanding of the risks the organisation faces, and understanding how the product can minimise these.
A vibrant writer who gives a great insight on hot topics and issues
