Don’t Overlook Social and Physical Security
Have you heard this one? A major data leak occurred after an outside guy called a major cell phone manufacturer and talked his way into the organization. He didn’t just get a little bit of information either. He was actually treated like a known associate. Using these privileges, he acquired the source code for the latest device, along with the username and password of the security manager! This company literally handed over one of their most closely guarded trade secrets to a person they didn’t know. To add insult to injury, the guy did it just to see if he could!
Now what if I told you the incident I just described didn’t happen a couple months ago at Apple, Google, or Samsung, but at Motorola in 1992? The outside agent was Kevin Mitnick. He now owns the popular security training tool, KnowBe4. It’s funny how history tends to repeat itself one way or another. For example, we’re still seeing coverage on the recent leak of classified military secrets shared for Internet cred on a Discord server. Additionally, it seems like major companies have financial records of their customers stolen every month.
All of this points to an ever-increasing need for multiple layers of security as it pertains to information. In the age of Multi-Factor Authentication, TEMPEST rated server rooms, zero trust methodologies, and 10-15% of IT budgets spent on InfoSec, it’s hard to remember that the physical and social layers of protection are just as important, if not more.
In the story above, I described how Kevin Mitnick was able to steal some of the most sensitive information a company has, just because he made it seem like he was supposed to have it. In fact, nearly 98% of all attacks have a social engineering component according to Firewall Times. And although the recent leaks in the news weren’t exactly socially engineered, it was a matter of having the wrong personnel in a position with access. So, if a company with an IT budget of $3 million is spending roughly $300k (10-15%) on cybersecurity, how much of that is going into the physical or social side of awareness?
Many companies have access controls such as RFID scanners for building access, as well as job-based access limitations. For instance, a manufacturing floor associate won’t have access to the IT offices. For the most part, people know who works with them and where. Some things have changed, especially since the Pandemic, but faces are faces, and you tend to recognize the familiar. On the physical security side, I’d say most companies are doing pretty well. However, it’s difficult to catch all potential situations, and as a society, we tend to fall into bad habits. Like if I were to follow someone entering an office building and said “Whoa hey, hold that door please,” most people would do just that. People don’t want to be rude, and that’s a pretty big challenge. Building managers or HR departments could do a better job of training people to be strict when necessary to at least cover the “endpoint” of the office door.
The social side of things is also tricky, which is why many companies are moving to utilize training that makes their end-users aware of how social engineering works. Products like KnowBe4 (owned and operated by Kevin Mitnick) are increasingly used in the professional world. In my experience, security awareness and training products do a solid job of outlining potential scenarios. Regular training absolutely creates a more aware workplace. Volta partners with KnowBe4 to provide ongoing training modules to our own employees as well as our clients.
Admittedly, being protective of a building or implementing ongoing training can’t prevent someone on the inside from leaking information. No one could have predicted that the recent leaks on the Ukrainian war were to impress Internet friends. Along with physical security and social engineering training, a company should perform background checks, and reinforce a “if you see something, say something” policy. Adding these items to your IT security arsenal are just as important as your antivirus, firewalls, and transmission security components. Whether from outside or inside, prepare your company for any situation that may arise.
Discover the types of organizational control services Volta provides to develop policies and practices that ensure organizational standards compliance.