Balancing The Information Security Program
The ability to create, transmit, and store information far exceeds the ability to secure it. The continued assault on information assets is being perpetrated through sophisticated scams devised by organized crime, foreign government espionage groups, employees, contractors and others.
The largely accepted view and standard is that the protection of information assets is a technology function and hence in many organizations all “controls” are within the area of Information Technology.
While technology is an important aspect of any information security program strategy, it is at best only one of three legs of the footstool. Many information compromises start with threats that arise from weak procedures, and may include intentional or unintentional human acts.
Social engineering is the act of obtaining confidential information through the “art of deception”. Most people have heard of or experienced phishing attacks through email. The email entices the recipient to visit a website that downloads malicious software to the user PC or tricks the individual into providing sensitive information such as login credentials to business or personal accounts.
Vishing attacks, which are social engineering exploits delivered by phone, are frequently launched against customer service departments, help desks, and other business functions within corporations. With caller identification easily spoofed and displaying the desired inbound number on the recipient’s display, the attacker poses as someone they are not in attempt to extract sensitive information. The goal of the attacker may be to gain access to the company’s infrastructure, bank accounts, personal and private information or a variety of other reasons. It is hard to image how technology can prevent such attacks if the employee is unaware and untrained.
Organizations that fail to look at risk to their information assets from a global perspective by analyzing business processes, identifying potential exposures, and determining the necessary controls to protect their information assets run a high risk of repeat and long-term compromise by both insiders and external attackers.
A well-balanced plan integrates risk management principles and focuses on a blend of preventative, detective and response measures across people, process and technology. Establishing a plan starts with awareness at the business leadership level, analysis of the threats, and the development robust business-centric mitigation strategies. While all compromises cannot be prevented, an organization that prepares will detect malicious activity sooner, limit exposure, protect its brand, and recover in a precise preplanned manner