Network Security – Beginning and Ending with the Users

How much time and money does your company spend on IT security?  Whatever that number is, twice that should be spent on end user education.  Like purchasing a home alarm system but leaving the front door wide open, all of the IT security efforts in the world are for naught if your end user education is lacking.

Firewalls, complex password policies, intrusion detection systems, encrypted VPN tunnels; none of these will do you any good at all if you have one Customer Service Representative (CSR) that is willing to pass along sensitive information – likely unknowingly – if the right (wrong) questions are asked.

Chances are your CSR has the best of intentions when your IT policies are compromised.  When the inevitable breach occurs, and a mad scramble by the IT staff ensues, trying to determine what allowed the breach, the guilty CSR will be oblivious to the fact that they were the springboard for the crisis.

Teach your users to be skeptical of any inquiries that are not directly related to their own position.  Cold calls, be they for apparent sales pitches or anything else, should never be taken at face value.  If a call is not directly related to the product/services offered by your company, or a specific account that the person on the other end of the phone can prove they own, it is better to pass this call up to a manager than answer random, seemingly innocent questions.

Something as simple as confirming the spelling of internal employee names, email format, or direct numbers as opposed to internal extensions can assist an intruder in finding areas more likely to be susceptible to attack.

I would never suggest that security through obscurity is a valid approach to protect your IT assets, but educating your end users to be skeptical of social engineering or phishing inquiries should be as high on your list of priorities as teaching them not to open binary attachments from unknown sources, that the Prince of Nigeria is not willing to split his inheritance of 2 million Euros if they would simply forward a sum of money via Western Union to help them get out of the country, or that their banking institution does not need them to fill out a form online to ensure their account stays active.