A recent article on Business Insider highlighted the various security breaches that have been in the news over the last couple of years, and it was particularly interesting on two notes: 1) The number of household names that have had breaches, and 2) The number of breaches that appeared to be an external attack but which in reality were initiated from inside of the organization. While most of the very large, high publicity breaches were tied to an external “hack”, a large number of the total listed were actually due to Internal breaches, accidental exposure, or lost media.
Steve Williams, Director with PhishLine probably stated this risk most succinctly “It’s important to quantify and qualify risk at the human layer in the same way that we approach risk assessment at the technology and process layers. In many organizations we see the security posture of systems and networks under constant scrutiny, but assessment of the people side of the risk equation remains inconsistent and infrequent.”
A good security policy, combines appropriate internal fencing of network assets with attention to the “people” or “social” side of a customer’s assets. Education, and on-going testing are critical to the “social” side of security. What other steps are you taking in this area?