No one likes to have to have a difficult conversation with a friend, family member or colleague. In the context of the home, there is nothing worse than having to tell your son or daughter their cherished hamster has died for example.
However this pales into insignificance compared to the conversation many Chief Security Officers (CSOs) have to have with their Chief Executive Officer or other senior official in their business to explain how their corporate network has been hacked and what damage has been caused.
But how much harder is that conversation going to be when the CSO has to explain it was the actions and behavior of the executive himself or herself that led to the security breach and the risk to corporate reputation and data?
KRC Research recently carried out some interesting research which questioned information workers in the United States about their information security attitudes and practices and found that those who have the highest access to valuable company information are the very people more likely to engage in risky behaviours.
The research found an incredible 87% of senior managers admitted to uploading work files to their personal e-mail and cloud accounts. Of these, 37% say it is because they prefer to use their personal computer, and 14% say it is too much work to bring their work laptop home. Not only that but 58% of senior managers admitted to having previously accidently emailed sensitive information to the wrong person, compared to 25% of workers overall. 51% of senior managers admitted to taking files with them after leaving a job, again compared to 25% of office workers in general.
The trouble is that the C level in any organisation has privileges others simply do not have. Coupled with that, the typical profile of a 'Level 8' exec is that they are high up in the food chain of the organisation and therefore a more prestigious target; they are often not IT savvy; they tend to be extroverted and outgoing; they have more access rights than they actually need and all to frequently they try to avoid security measures by order.
Increasingly the cybercrime gangs who target organisations recognise that the direct route into a company is not always the best route and they look at just these sorts of high prestige and low awareness individuals to find a stealthy way into the network. After all, they are looking to be there for the long-term and so stealth and concealment are essential.
Targeted emails are one way these cybercrime gangs target the C Level. Simple research on social media or google throws up many useful details about what makes the CEO or CIO tick as a person and from there it is not hard to target them with enticing emails purporting to be from someone they know.
So what can we do about this?
As users of the internet, we have our part to play by regularly updating passwords, limiting the amount of information we share on social networking sites, not opening emails or attachments from people we don't know and so on.
However, companies today increasingly have to accept the reality that they are operating in a world of not if they'll be targeted, but when. And as soon as we recognize that and change our mentality from assuming we are safe, to assuming we will be compromised, the sooner we can put in place measures to deal with the issues caused when the inevitable happens to limit the risk and ensure the businesses impact is limited.
The truth is that where IT security is concerned there is no silver bullet and as hackers become ever more cunning, it is a major challenge for organizations to stay one step ahead. Increasingly it's the way companies deal with hacking incidents when they happen that really matters. Having smart plans in place to detect, prevent and if necessary remediate quickly can mean the difference between a minor technology hiccup and a full system meltdown.
In the meantime, good luck with that meeting with your boss tomorrow to try to explain why he should not have switched off his firewall to visit a Russian file sharing site on his corporate laptop!