SECURITY

RISKS R

ELATE

D

TO H

UMAN ERROR

DA

RR

EN

MC

MA

NU

S, É

AN

NA

HE

GE

RT

Y, D

ON

AG

H M

CI N

TY

RE

OVERVIEW• News stories every day – exposure of private

company information

• Not advanced technology or genius hackers but…

• “Human Beings, Being Human”

2

RISKS STEMMING FROM…

3

A. Careless Use Of E-Mail

B. Other Aspects of Human Error

A. CARELESS USE OF EMAIL1. Employee Vulnerablility to Spear Phishing Attacks

Fraudulent email intent on gaining data/information - much more focused than traditional Phishing

Example: 2008 District Court Subpoena Scam

Solutions:

• Education

• Messaging Intelligence

• Phishing Filter

• Avoiding Embedded Links

• Increased Sensitivity of Spam Filters

4

A. CARELESS USE OF EMAIL2. Use of Company Account for Personal Use (and Vice-Versa)

Lack of distinction between the company account and personal account can lead to embarrassing or disastrous consequences

5

Example: Anonymous - Sarah Palin, 2008

Solutions:• Policy of separate accounts for

personal and work use• Ban on internal “chain mail” on

company accounts• If absolutely necessary to use personal

account for work purposes, encryption must be used

A. CARELESS USE OF EMAIL3. Avoidable Loss of Old E-mails

It’s often assumed that once an e-mail is stored in an account that it is safe forever.

However e-mail accounts can crash leading to loss of all data which hasn’t been backed up.

6

Example: G-Mail Mishap, 2006

Solutions:• Manual e-mail backup on cd/storage device

with strict back up schedule.• Purchase of automated backup software to

take care of backups automatically

A. CARELESS USE OF EMAIL4. Mis-use of the “Reply All” Button

One of the most common mistakes made by individuals regarding e-mail error which can result in sensitive or embarrassing information being sent to unintended recipients.

7

Example: LA Police Dept. Controversy, 2012

Solutions:Many e-mail providers offer a number of preventative means, e.g. Outlook:• Option to remove “Reply All” button• Option of 30 second lag on all e-mails• Option of an alert warning the user that

“Reply All” has been selected

A. CARELESS USE OF EMAIL5. Over-Dependence on E-mail (especially for discussion of sensitive info)

E-mail is often seen as an “easy way out” communication tool providing a quick fix. The short term relief, however, does not outweigh the potential problems including clogging of internal email systems.

Also problematic is the use of e-mail for sensitive corrospondence more suited to a phone call or face to face meeting.

8

Example: Navio Computer’s Clogged Email System, 2011

Solutions:• Ban on unnecessary internal e-mails• Alternative cloud-based collaboration

tools• FtF meetings and phone calls to discuss

sensitive info• Encryption if sensitive info MUST be sent

via e-mail

B. OTHER ASPECTS OF HUMAN ERROR1. Loss Of Laptop/Other Device (Containing Unencrypted Data)

Theft/Loss of a computer or other data storage medium made up 35% of all data breaches in 2012. Such theft/loss can cost a company hugely in monetary terms as well as image, competitive advantage and consumer trust.

9

Example: Dept. of Veteran Affairs Database Theft, 2006

Solutions:

• Education of employees around device and password security

• Immediate notification of loss or theft

• Encryption of all sensitive company data/info

• Device Management Consoles – monitor, set , enforce polices & remotely wipe devices

B. OTHER ASPECTS OF HUMAN ERROR2. Failure To Erase Data When No Longer Required/Permitted

It is generally good practice to destroy old info/data that is no longer required, to free up disk space.

More importantly, many sectors are governed by laws prohibiting retention of certain info after a specific time period.

10

Example: Affinity Health Care Digital Copier Mishap, 2010Solutions:• Policies regarding deletion of old emails, messages,

call logs & files• Strict reviews of data on all devices on regular

continual basis• Education of staff around safe destruction of old data• Device Management Consoles (again) for remote

wiping of lost/stolen devices

B. OTHER ASPECTS OF HUMAN ERROR3. Sharing of User Account Details and Passwords

Password sharing - convenient & cost saving in relation to certain systems.

Can widen potential for unauthorised access, especially when people leave the company.

It also prohibits mgmt from knowing who logged into what and when (audit trail).

11

Example: Lincoln National Securities Affiliate Access, 2010

Solutions:

• Assign usernames and PW’s specific to individual users & grant/revoke permissions depending on what these users require

• Policies demanding ‘strong’ PW’s & mandatory routine for changing PW’s

• PW’s should be changed when duties are reassigned or employees leave

B. OTHER ASPECTS OF HUMAN ERROR4. Data Theft By Employees/Former Employees

Employees gain access to numerous systems through their employment including email accounts, HR payroll systems, etc.

Often Companies do not prioritise the practice of updating user access & privileges when employees leave the company, opening the door to data theft by disgruntled former employees.

12

Example: Fidelity National Information Services Data Theft, 2007

Solutions:

• Policy of updating access and privileges when employees leave the company

• Purchase of systems to simplify the user provisioning process

B. OTHER ASPECTS OF HUMAN ERROR5. Use of company laptops outside of work / personal laptops in the workplace

Ideally should never use the same device for both – if company laptop MUST be used, they should never be left unattended or connected to unsecure networks.

13

Example: Saudi Aramco Virus Infection, 2012

Solutions:• Separate laptops for home and work

except when absolutely necessary• Password protection & no sharing• Deletion of sensitive information when no

longer needed• Restrictions of the type of data allowed

outside the workplace• Encryption of all sensitive information• Restrictions on connection to unprotected

networks

B. OTHER ASPECTS OF HUMAN ERROR6. General Simple Human Carelessness

By our nature, humans will suffer lapses in concentration or oversights.

In business, carelessness like failure to double check standards or erroneous publication of data may have disastrous consequences.

14

Example: AOL Release of Search Data, 2006

Solutions:• Education of employees about their

responsibilities regarding data security and the use of technology to avoid data breaches

• Preparation & implementation of data breach policies and response plans

CONCLUSION• Data breaches not necessarily associated with new

technologies and genius hackers

• Reality: Many can be associated with human error

• Ponemon: 78% - “human negligence or maliciousness”

• Many breaches can easily be avoided

15

• Precautions can be aided by technology but old familiar security fundamentals are key:

• Training & Education

• Policies, Revisions & Analysis

• Data Encryption

• Common Sense & Sound Judgement