Uninvited House Guests and Security Awareness

Page two of this morning’s IDB had a one paragraph blurb about how Chinese hackers, presumably affiliated with the Chinese government, had, according to a Senate panel, breached computer systems of defense contractors, most of whom were involved in movements of troops and supplies. The report stated that there were 20 occurrences of this within the last year; almost two per month.

Perhaps this news is not as sensational as Target or Home Depot being hacked which explains why it was buried as such a small blurb. Clearly, it could have been a front page article. Regardless, there is another lesson here which on the surface may not appear obvious.

Besides the overt assumption that the hackers were interested in troop movements, and indeed, they very well may have been, they were also certainly interested in something else’ credentials and leverage. Obtaining credentials and leverage allows them to gain even greater levels of access and information.

Many of us know and recognize that the human element remains the weakest link in our security chain. SO what does this hack have to do with security awareness? Simple, security awareness too often focuses on why employees should protect the assets of the organization, and rarely addresses the very basic human instinct of “why is this important to me?”

Protecting the assets and information of the organization is everyone’s responsibility, and of course, security awareness training should, and must focus on those points. However, security awareness training should also focus on the potential risk and impact to the individual employees. If each individual in the organization realized how intertwined their own personal information was with that of the organization, then perhaps more care would be taken to protect those mutual assets.

In this specific example, personal information on employees, once obtained, could be potentially used as leverage for further extortion, blackmail, and espionage. Even without national security implications, every organization has potential HR, health, or other data which can be leveraged. Even accessing an HR database would yield a treasure trove of information which could be used to open accounts and steal identities. The toll to those individual employees would be high.

Perhaps we can achieve better success at strengthening the weak, human link, by structuring security awareness content to also address how each of us is personally affected by potential breaches to the organization.

– Ted Lloyd, CISM

Leave a Reply