The recent Red October wave of concerted cyber assaults demonstrates that social engineering is by far the most potent tool in the hacker's arsenal.
As the Red October malware infected its victims via a targeted spear-phishing email and by employees downloading the customised Trojan dropper, the attackers managed to infiltrate organisations across the world.
As discovered by the Kaspersky researchers, the malicious code was delivered via email in the form of Microsoft Excel, Word or PDF documents. The attachments contained the exploit code for known security vulnerabilities in these applications. In addition to the Office files, the hackers also used Java exploitation, which maximised the impact of the assault.
In dealing with a potential sequel to Red October, business should adopt a more comprehensive approach. The fundamental change is recognising that our IT systems only make up ten per cent of data security - the first ninety per cent is our own behaviour and the physical security of our buildings.
IT security can't really deal with this kind of socially engineered danger. However, a planned, socially led, security programme can help combat the problems an attack could create. Educating staff members needn't be a complicated and costly affair.
The initial step should be an evaluation of current systems and processes, after which a plan of action for countering IT security risks could be produced. Penetration testing is one of the key ways in which a company can stay safe and protect their data.
Business owners should look for comprehensive penetration testing services that are fully integrated into ISO 27001 and ISO 9001 security and quality management systems. This provides an extra layer of confidence when it comes to the quality and confidentiality of the process.
Although penetration testing is the most common method of managing data security risks, it isn't the only way. Large businesses will often appoint a Chief Information Security Officer who will provide the knowledge and experience needed to manage the threat in an organised and effective manner.
The catch is that the typical price tag that comes with this kind of appointment is in excess of £120,000 per year. However, a more affordable Virtual CISO, or vCISO, programmes, managed by senior level people experienced in the CISO role, are also available.
If your organisation is large enough to require a security leadership role, but not quite ready to dedicate an internal resource to the task, these tailored CISO programmes can help achieve your objective by working as a member of your senior management team leading security programs and initiatives.
Fully managing the vulnerabilities such as egress controls around communication systems will significantly reduce exposure to cyber threats. However, keeping your data secure calls for more than IT, it requires individuals to reach a certain level of vigilance and act as key holders to the company assets and information.
Peter Bassill is managing director at Hedgehog Security