One of the biggest threats to security is human error – Kaspersky

We speak to David Emm, principal security researcher of Kaspersky’s global research and Analysis team, about the biggest security threats to consumers and businesses.

What have been the biggest security threats to businesses over the past year?
We’ve seen a huge rise in the number of targeted attacks this year, such as the hacking of French national TV network, TV5 Monde.

Stealing money or confidential data is not the only motive behind attacks – sometimes the purpose of an attack is to make a political or social point.

Unfortunately the rise of such attacks is indicative of society’s increasing reliance on the internet. Almost all areas of our life now have an online aspect to them, so it’s hardly a surprise to find that social and political activity is moving online too.

The problem is that today such attacks can be set up cheaply and easily, from almost anyone, whether that be a competitor, a dismissed employee, socio-political protesters or just a lone wolf with a grudge.

As a result, we’ve seen the volume of targeted attacks rapidly increase in recent years. No matter how big or small an organisation is, the reality now is that everyone is at risk from a cyber-attack, so all organisations need to be vigilant.

Is a lack of security education in the workplace partly to blame?
One of the biggest threats to security is often human error. Cybercriminals try to find weak points in a corporation’s IT infrastructure and locate the tools necessary to launch an attack. As businesses often see protection against cyber attacks as a “technical” issue, they often ignore the human factor of corporate security and overlook the issue of human error. This means they don’t establish a security awareness programme as part of their security strategy.

"No matter how big or small an organisation is, everyone is at risk from a cyber-attack, so everyone need to be vigilant."

Cybercriminals gather information from public resources that allow them to modify their attack and sidestep the company’s security applications. With the use of social networks, there is an evolving risk of employees accidently posting tiny pieces of information that might threaten a business, such as what applications or security tools are used. Individuals need to realise that any data they post online can put both themselves and their employer at risk.

Organisations should aid this process by providing staff with education on the dangers associated with over-sharing online.

What have been the biggest security threats to consumers over the past year?
We’ve seen a number of high profile cyberattacks this year on websites such as Ashley Madison and Mumsnet, where cyber-criminals have actively targeted websites on personal vendettas rather then financial gain.

The hacking group ‘Impact Team’ delivered on its promise of revealing email addresses, usernames, passwords and credit card transactions for the people using the Ashley Madison website.

The leaked data contained information such as real names, addresses and credit card details. Now that it’s public, cybercriminals have the opportunity to use this information to steal money and personal identities, or simply blackmail victims.

What can consumers do to try to stay safe?
There are a few steps consumers can take to protect against such attacks in the future. People should always read any terms of use and privacy policies very carefully before sharing confidential data with websites, especially when credit card details are required. Unfortunately, once a breach of this nature has been made, there is not much that can be done.

In most cases, users should change usernames and passwords and potentially notify the bank to apply for a new credit card – just to be on the safe side.

Ultimately, the damage related to users’ privacy being compromised is not something that can be easily fixed. However, using unique passwords for each online account will restrict the extent of the damage from any such breach by preventing the ‘domino effect’, where if one account is compromised they all are. 

What are your top 3 security tips for businesses?
1. Create staff security awareness
Unfortunately, businesses can often ignore the human dimension of security. But often the starting-point for a targeted attack is to trick individuals in the company into doing something that puts the company’s security at risk. It’s vital that all employees are aware of the risks and that management doesn’t solely rely on technology to protect the company. So, organisations need to ensure they make security awareness part of their security strategy.

"While devices are getting smarter, it does not necessarily mean they are secure."

2. Don’t forget mobile devices
The task of securing data has become harder for businesses as staff increasingly bring their own devices in the workplace and conduct business ‘on the go’ via multiple devices. In order to reduce the risk of attack, security policies must be revised to reflect the changes in working practices. It’s no longer possible for IT departments to defend the traditional network perimeter. Instead, they must apply a security ‘wrapper’ around every employee – so that they are protected wherever they work and whatever device they use. Secondly, the tools deployed across the business must be flexible enough to implement this ‘follow-me security’ policy.

3. Ensure business continuity
It’s important to deploy an anti-malware solution which can block new and unknown threats. A response plan to any outbreak of malware within the business should also ensure that continuity if the worst was to happen. Making sure that necessary measures are taken, such as handling public relations to minimise the impact on the company’s reputation is one way to do this.

How are new products and trends effecting business and consumer security?
While devices are getting smarter, it does not necessarily mean they are secure. Take fitness trackers, for example; while they help us manage our physical activity and stay in shape, they also have the potential to put our security at risk – after all, they are effectively extensions of our mobile devices.

Organisations have faced a huge challenge with BYOD. Often devices were purchased on an ad hoc basis, rather than being part of an IT-managed process, so IT departments often had to retro-fit security and management of mobile devices. However, having gone through the process of managing mobile devices, many businesses will be better placed to deal with the management of wearable technology within the workplace.

It’s important that they review their business and security strategy in light of Wear Your Own Device (WYOD), rather than letting it creep into the company. They need to assess the benefits it might bring, determine the risks and put in place a strategy to manage it. Wherever devices are used, whatever the technology they’re based on, all mobile endpoints that can connect to your network need to be fully secured.

In order to provide this protection, IT managers need mobile security policies that not only overcome complexity and protect against malware, but also allow for simple human error, loss and theft.

Throughout November, PCR is running a dedicated Sector Spotlight on Security – Click the logo below for more articles