For Data Security, Employees Are the Weakest Link

The weakest link in data security isn’t hardware or software – it’s wet-ware… aka human beings.

Increasingly, data thieves are breaching company security via company employees – employees who are careless, clueless, or just plain human.

According to a study by Pricewaterhouse Coopers, 82% of large organizations reported that data breaches stemmed from employee mistakes.  (Another study by Symantec and the Ponemon Institute puts the figure for human mistakes and system problems at “only” 64%.)

These “mistakes” were often innocent rather than careless, due to companies’ failure to educate their employees about security – only 54% of small businesses and 38% of large businesses have security awareness programs for employees, according to the study.

Speaking of careless, one in seven businesses that say they put a high or very high priority on security don’t even have a written security policy.

Companies can try to force their employees to be “safer” – to use long, complex passwords and change them every 60 days.  But changing passwords is like stocking up on life preservers on the Titanic – it’s a good idea, but it’s not going to keep the ship from sinking.

Most successful security attacks involve “phishing” – convincing an email recipient or website visitor to click on an innocent looking link, or to download an app or an attachment that launches malware that tunnels straight into the heart of the company’s data.

Most employees are savvy about phishing, but according to a study of 372 companies and 291,000 people, about 16% of employees are especially prone to clicking on links in phishing emails.  Of course, it only takes one gullible employee to open a door for a data thief.

Senior managers are more likely than rank-and-file employees to make security mistakes, such as uploading sensitive company information to personal devices or cloud accounts.  One CEO of a public company had his email hacked for six months because he never changed his password, thinking he was “above” such things.

Thieves can even use other company’s employees to do their dirty work, unwittingly.

The hackers that broke into Target’s network and stole over 100 million records containing customers’ personal information are reported to have gotten in using the credentials of Fazio Mechanical, a heating and ventilation contractor that did work for Target.

The hackers apparently climbed in through the virtual airshafts via a malware-laced phishing attack on the HVAC firm’s employees, according to Krebs on Security (the blog that broke the Target scoop).

The malware involved may have been Citadel – a password-stealing bot.  Citadel is a nasty and versatile hunk of toxic code that has the ability to send recordings of Internet sessions to its controllers.  It can log keystrokes automatically and grab FTP and POP3 email credentials.  It can even protect itself by evading security software and preventing an infected host from connecting to security sites or receiving antivirus software upgrades.

Fazio issued a statement that “our IT system and security measures are in full compliance with industry practices.”

Fazio reportedly used a free malware-detection program – an on-demand scanner licensed only for individual (and not corporate) use that doesn’t offer real-time protection against attacks.

If that’s “industry practice,” then no wonder there are new data breaches every week.  And if “industry practice” is good enough, then why will organizations worldwide spend an estimated $364 billion in 2014 to deal with data breaches?

How Hackers Use Employees

According to Violet Blue of ZDNet, there are many ways hackers can use employees to break through their employers’ security walls.

Front Page News Attacks are phishing attacks tied to current events – for example, “Click here to donate to victims of [disaster du jour].”

Mobile Malware Attacks involve links in text messages sent to smart phones.  70% of all mobile attacks are against Android devices, but Apple also announced a security upgrade in February, 2014 – to fix an iOS problem that had existed since 2012.

In the BYOD (bring-your-own-device) environment, employees can’t be relied upon to update to the latest (and most secure) OS versions, especially when those updates may cause problems with speed and battery life.

Personal laptops aren’t any better protected.  43% of consumers don’t routinely install security updates on their own computers.

While 75% of large corporations allow employees to connect their mobile devices to company networks, according to the Pricewaterhouse study mentioned above, only 39% of companies encrypt the data on their networks.

Evil Maid Attacks involve leaving a laptop, tablet, or smartphone unattended in a hotel room.  An attacker needs only moments to boot and infect a laptop using, for example, a USB stick.

Watering Hole Attacks happen when employees visit popular and legitimate (but compromised) websites.

Remote Access Attacks involve employees who sign into the corporate network using a borrowed device or via an unprotected Internet connected (wired or Wi-Fi).

Unsafe Sticks:  Employees often don’t think twice about sticking random USB sticks into their company (or BYOD) laptops, to watch movies downloaded from pirate (and potentially dangerous) sites or borrowed from (potentially infected) friends.

Until employees can be programmed like androids (the robots, not the mobile devices), trying to change human behavior is pretty much hopeless when it comes to security.  People resist change.  They’re lazy.  They forget things.  They’re “too busy” or “too important.”  And sometimes they’re just plain dumb.

What’s the Solution?

Better security requires more than just updates, patches and Band-Aids for a flawed system – it requires a fundamentally new approach.

PACid’s patented technology can eliminate the employee weak link by effectively taking the “keys” away from the employees.

With PACid’s dynamic encryption security, encrypted secrets are isolated in a secure “vault” or “bunker.”  This vault is isolated from malware.  The user ID and password only gives access to the vault, which then sends a one-time-use id and password (user credentials) to the host site on an encrypted machine-to-machine basis.  Having access to the user ID and password for the vault is useless without also having physical possession of the vault.

PACid’s system generates long, dynamic user credentials that no end user needs to (or could) remember.  These user credentials change automatically after every use and the encryption solution in a session changes every few minutes, so even if user credentials were intercepted, it would only provide access for a very brief time.  User credentials that work for one session ONLY work for that session.

The solution to the weakest link problem isn’t based on changing human behavior or educating employees to make smarter decisions.  It’s based on a new industry standard that can maintain security even when people act like people.