Often it’s your own people who hold the key to your data security. In a recent BBC Radio Newcastle interview, Alan Greig, Managing Director of Net-Defence, gave some insights on how it’s not enough to simply rely on technical solutions to ensure real world security:
“When I tell people that I run a technical security company they invariably visualise me busying myself in some darkened dungeon surrounded by multiple computer screens; lights blinking and cooling fans whirring away as I hunch over my keyboard entering unintelligible code as I search for bad guys on the internet.
Nothing could be further from the truth. Our approach to data security goes well beyond what’s commonly known as ethical hacking.
Yes, our clients trust us to prevent their secret sauce from being stolen. Yes, we’re also here to protect their personal information. But we believe that the secret to doing so successfully is in focusing on the people element. That the risk to all that they hold precious lies not just in their technology, but in their people, processes and governance.
Our approach to data security goes well beyond what’s commonly known as ethical hacking.
I believe strongly that it’s in taking this “real world” approach that the real threat to the security of most organisations can be exposed and, more importantly, they can then take the necessary steps to protect what needs protected.
This is best illustrated by the example of a legal firm who hired us [Net-Defence] to test their technical security. We started not with penetration testing their IT firewall, but by installing ourselves outside their offices, observing and assessing the comings and goings of their staff.
Early one morning we connected with a staff member as he entered the building. We struck up a conversation with him; chatted about football (always a great disarmer) as we stood in the lift; then watch him use his key fob to open their office doors and usher us in – and all this under the watchful eye of a security guard who assumed that as we were chatting away, we must be known to the staff member.
That the risk to all that they hold precious lies not just in their technology, but in their people, processes and governance.
Once in their offices, we selected a manager working away in her office with the (unusual some might say…) proposition that we were new to the IT team and just wondering if there was anything she needed. Lo and behold, she’d been having trouble printing and, with the IT team not due to start till 9.00am she would even make us a cup of coffee if we could take a look.
That’s how we ended up sitting at the unlocked computer of a senior member of this law firm’s management team and unrestricted access to their (and their clients’) deepest secrets.
Now, we have an experienced team of experts who are skilled in this type of work so it’s not an approach I would advocate for anyone else to adopt, but it illustrates that, even with the tightest technical security, you’re still not safe. You need to instill in your people the realisation of the role that each and every one of them plays in your security. That it’s ok to challenge people if you don’t know them – whether that’s tailgating you through a security entrance or “fixing” your computer.”
It’s your people who are your best defence. Effective policy, education and testing of process is required for robust blended security solutions. It is also prudent to ensure only credible consultants deliver governance advice and education. Many firms see Sales Team members deliver ‘training’ and this often actually increases your risk as security consultancy and governance is a skilled arena.
Ask out about our testing and consultancy services here