Page 23 - Cyber Warnings
P. 23
Machine guns on the front lawn, but the back door is left open
How U.S. companies are failing to protect themselves from the #1 security
threat
by Colin Earl, CEO and Co-founder, Agiloft
We all know the basics of technical IT security—strong passwords, multi-factor authentication,
256-bit AES encryption, and so on. These industry standards shouldn’t be overlooked, but most
security and privacy breaches have less to do with bad passwords and more to do with social
engineering – exploiting the employees, contractors, and partners of an organization.
According to the Verizon 2015 DBIR report, human errors, not technical attacks, account for
90 percent of security incidents.
These type of attacks have become so common that in January of this year, the FBI issued a
warning to businesses to become more aware of such attacks. According to Lloyds, cyber-
attacks already cost $400 billion each year, and costs are expected to rise.
Despite this overwhelming data, businesses seem to be paying little attention to the threat.
Defense against social engineering attacks is the cornerstone of any worthwhile security policy,
yet many US companies fail to even ask their vendors about it.
They do ask about technical security, and may demand that vendors not use AES 128-bit
encryption because, using a supercomputer, it can be cracked in “only” one billion billion years,
i.e. 70 million times the age of the universe. Instead they require AES 192 or 256-bit encryption,
which takes many billions of times longer.
Organizations like the Cloud Security Alliance compile comprehensive documents, such as the
Consensus Assessments Initiative Questionnaire (CAIQ), for documenting and scoring technical
security.
But are security consultants really protecting the company with such requirements? Or is it
possible that they only measure things that are easy to measure and provide reports that give
management a false sense of security while ignoring the real threat?
The answer is the latter. The IT industry is busy planting machine guns on their front
lawns while leaving the back door open. It does not take a billion billion years to crack the
security of most organizations. It does not even take a billion days.
It takes about thirty – the time required to mount a solid social engineering attack.
Sixty percent of attempted social engineering attacks, read most, succeed. Consider that for a
moment - if a competent attacker decides to attack your company on January 1, it will probably
be breached by February 1.
23 Cyber Warnings E-Magazine December 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
