I ran across two interesting articles today on a website called bankinfosecurity.com. One was an Interactive Timeline to Breaches at US Financial Institutions so far this year. When I came across this article I wondered how it compared to a similar timeline for 2009. The biggest breach in 2009 for a financial institution was the Heartland Payment breach in January of last year where 130 million records were lost, while the biggest number of records lost so far this year, is 1.2 million. If you take out the top two breaches, then it was interesting to see that January and February had about the same number of breaches but it looks like in terms of number of records lost 2010 wins.
This brings to mind a couple of questions. First, with security becoming more recognized why are breaches happening at the same rate? This could be for multiple reasons, the first of which being that the hackers are getting more advanced. While I don’t doubt this I believe the answer is much simpler. If you talk to any security professional they will say the biggest threat to any company is people or Social Engineering. You can have the most advanced security controls in but if people write their password on sticky notes and put them on their desk or computer then no security controls will ever help.
Now I am not saying people are the downfall of security and you should never trust your employees, but it is something that needs to be considered in any business. Businesses need to educate people on not only basic security practices but why these practices are important. Train people not only how to create a secure password but how to recognize someone trying to talk their way into a business. Social Engineering causes more problems for companies then someone hacking their way into a companies secure servers because it is easier. With just a phone call you can try to get someone to reset a password on an account and therefore give you access into a system. If you want to learn more about social engineering Kevin Mitnick has a great book out called The Art of Deception: Controlling the Human Element of Security.
Now I am not the most experienced security person so any thoughts or suggestions are appreciated. What do you guys think? If you are in the security field, how do you combat this problem and if you aren’t in security how do you think about being trained on basic security practices by your company at regular intervals? Do you think it helps? Why or why not?