People are the biggest vulnerability

One of my favourite TV programmes is "The Real Hustle" where a team of ex-confidence tricksters show how easy it is to use social engineering to gain access to other peoples' goods and money.

Of the three security areas that can be addressed, people, process and tools, people provide both the largest target and, due to reluctance to own up to being conned, the least likely to be discovered.

With the opening up of systems through b2c (business to consumer) and b2b (business to business), data is no longer isolated in a castle surrounded by a firewall "moat". Businesses need to understand not only the vulnerabilities of their own employees, to risks such as fraud, boredom, pride and revenge, but also those of their customers - as illustrated by this article on PIN sharing. Their suppliers also hold an increasing amount of company information, whether product sales figures (how tempting to the competition) or future strategy (ditto) through IT plans.

Mitigating the Risk

Whilst the risks will never completely disappear, there are some ways that the risk can be reduced:

• Clear policy - state what is expected in terms of security as a means of education and, should the worst happen, recompense
• Secure process - understand what processes are vulnerable and who is involved in them, that way risk mitigation can be prioritised and addressed
• Vetting - you would not let a known criminal into your home without watching them carefully, so why allow them to use your payment cards without watching what they do (attempting to stop them completely would be a waste of time, not to mention being unfair to reformed criminals)
• Training - how many people know what they need to do, on a weekly basis, to keep their PC more secure?
• Tools - give them the right tools that do not impact their ability to do their jobs (otherwise they will simply work around them) but do make the organisation more secure