“The real issue is still going to be people. You could get the best product in the world, someone in the company sticks a default, generic password on it—and anyone could still get in just like that.” —Tim Holman, Information Systems Security Association-UK President and CEO of 2-sec.
To most small and medium businesses and not for profit organisations, it seems obvious that investing thousands of dollars in front-facing systems is the best way to protect their business from cybercrime. The anecdotal evidence is starting to show that this is not the case.
The biggest danger to business cyber protection is the uneducated, unaware and innocent users who populate all of our businesses, and who do not understand how much danger they are in and how much havoc they can cause with just a simple mistake.
You have heard me talk about my friend, who, while crossing a car park in Las Vegas, picked up a USB device covered in Boing insignias. Against all of my training and all of the awareness programs that she had done, she still plugged it into her computer—promptly infecting it with malware and rendering it useless. When she got back to Australia she also found that a large proportion of the money in one of her bank accounts had gone missing.
This was a well-educated and intelligent person, and one who understood the dangers of doing what she did, but she still did it. If that can happen to a person who understands the risks, what hope have we got in protecting those unaware and innocent users that we have on staff?
These are the people who will have a generic password for everything that they do. They will have a password that is easy to remember (like “password”), and even easier to break.
But they are not the only danger. People in the industry also do silly things. They forget to change default passwords on devices. They use pseudo-complicated passwords (hacker-speak) that are all part of the rainbow tables. A true complicated password has letters, numbers, capital and symbols with no pattern.
When any website requires users to log in, it stores the list of their passwords in “hashed,” or scrambled, form. A rainbow table is a long list of hashed passwords and the plain-text passwords they were generated from. This allows a hacker who has stolen a list of hashed passwords to “decode” many of them. Hackers have created a table that includes millions of combinations involving numbers, letters and symbols, and it is being updated all the time. The only way to be safe from a rainbow table attack is to have a password so complex, it isn’t on one of these lists.
Many users fail at this. In addition to that, they use the same pseudo-complicated password on all devices within the network. Once they are hacked, total control of the network is now in the bad guys’ hands.
Cybercrime protection is not a “set and forget” process. It is in fact an ongoing process of technology, management, adaptability and compliance. Each additional component tightens up the protection around the business and across the network, and helps to form a protective armour against most normal cybercrime attacks. But technology alone can’t guarantee this. The real solution lies in people—how they think, how much they know, and what they do.