Cyber security is not only a tech problem
The news of security breaches is full of reports of hackers using their own radio setups to wreak havoc, such as the misdirection of yachts or the reprogramming of the firmware of an USB device to hide malicious code. News reports have a tendency to sound technical when trying to explain the root cause of an exploited vulnerability. Security is multidisciplinary, however, in the sense that effective security comes from understanding the vulnerabilities that may come either from the physical environment, the technology, or from the human element in the mix. Threats from the physical environment may include fires, natural disasters, theft of computing resources, or exposed cables. Technical threats are what this course considers in more detail, but it bears remembering that there is a strong human element in cyber security. The best security safeguards in the world count for very little in the following situations:
- An bank employee accidentally emails out a file of bank details to a wrong address.
- A corporate employee copies a set of sensitive documents to a memory stick which is then stolen.
- A company-supplied portable devices such as a phone, laptop, or tablet has sensitive data on it, and is stolen, or accidentally left behind in a public place by the employee to whom it is assigned. (It is surprisingly common for people to forget laptops on planes, in coffee houses, etc. Encrypting devices and enforcing a policy of hard-to-crack passwords goes a long way towards protecting against data theft in such circumstances, but strong passwords are hard for humans to remember.)
- Company staff use their private email addresses—which may or may not be protected—for corporate communication.
- Staff receive attachments that are dubious and open them, or visit a dangerous website and are the target of a drive-by download of a malicious piece of code.
- Staff discuss a work-related matter in social media, or publish a photo of the workplace, which then leaks to the wrong people due to improper privacy settings.
- ...all of the above by a very disgruntled employee doing it on purpose.
It is evident, from the list above, that human actions in the office are potential threats, but threats that can be mitigated by educating staff and providing knowledge about correct cyber security procedures. Care must be taken in communicating proper procedures as the audience is broad and may or may not be technically aware.
In short, cyber security is everyone's business. Designers and implementers build systems that have no holes (well, as few as possible), operations staff build and maintain secure networks, administrators keep systems properly updated and configured, users should prefer secure software, and executives should make early investments in security.
Remember to check your points from the ball on the bottom-right corner of the material!