Human error and complacency biggest IT security threats

According to security service providers, organisations can spend a million dollars on a solution but it won’t protect the business from threats often caused by lack of staff education.

A recent survey conducted by Galaxy Research has found that only 33 percent of IT managers believe converging online threats are a major problem to their company’s security systems.

Despite their lack of concern, in the month of March alone, security software vendor MessageLabs found 2.9 million spam emails with links to Storm malware were received, proving that these converging security threats are both real and widespread.

Frank T. Windoloski, general manager Commercial Security Solutions at Verizon Business said the survey certainly rings true for him. Feedback he is receiving in the managed security field is that hackers are constantly inventing new ways to try and break into organisations.

“These people are strides ahead of everyone else. In a typical working environment most people believe that technology alone will deter hackers into breaking into an organisation’s network,” he said.

On the other hand, when an organisation does incorporate a security policy, Windoloski said these company policies are a blanket policy of denial. He argued these businesses believe if they deny access to social Internet sites to their employees, then they are safe from harm.

“Just because they are not seeing someone steal the mail doesn’t mean it’s not happening. Some of the employees, especially those just out of University, can easily get around those types of security policies,” he said.

Most organisations believe a blanket approach to disallowing user’s access to social networking sites will stop potential virus outbreaks. According to security resellers, businesses become complacent once a security product is installed and rely solely on the product to protect the organisation.

According to Lee Curtis, business development manager for security service provider Ice Systems, many organisations aren’t clued up on security issues and turn up the paranoia level or they put all their trust into technology and their staff.

“All it takes is someone from the inside of an organisation to make a mistake and let the bad guys in. That is why a lot of these hackers are targeting social networking sites, because they realise it’s the humans that make an organisation vulnerable. These days you can find out everything about an organisation very easily, including their weak spots,” he said.

With that in mind companies can’t be complacent when it comes to IT security said Curtis. They must be able to take the technology they have and make sure all of their staff are well educated on the security vulnerabilities of an organisation.

“It is so easy to buy a million dollar security solution, and expect the high price tag to protect an organisation. In most cases it has been human error and not technology that’s the problem. At least 80 percent of people are forcing the bad guys to go through the human route, because that is the easiest way to attack an organisation. It would be simpler and cost effective for an organisation to look after its staff then to implement a crack a security system,” he said.

Curtis recalled a story he recently heard from a security expert working at a national bank in Australia. The security experts job was to conduct ‘penetration tests’, so according to Curtis this person put on a Telstra shirt, walked into the bank’s building and said the organisation’s switch was down. He created a lot of huff and puff; so the building’s security agents let him walk through to the switch room.

“It was very rare for an organisation to pass this ‘penetration test’. It wasn’t technology that failed the bank, it was the human element. I believe that a combination of processes, policy, technology and staff education will keep the bad guys out of an organisation,” Curtis said.

There is no great panacea to securing a business, the challenge is for an organisation – at a managerial level – to let go of their paranoia and/or security blanket (technology) and implement a well rounded process to ensuring the IT security of an organisation isn’t compromised.