When FICO hosted the Business Continuity Institute Forum covering the South and East of England at our London offices last month, you might have expected technology to top the agenda. But what dominated the discussion among more than 40 business continuity and cyber security experts was not malware but “humanware” — that is, people.
Social engineering remains one of the most effective ways to get past an organisation’s defenses. Most delegates had to concede that their business operations conventions probably led to inadvertent exposure.
Look how easy it is:
- A common email address structure (firstname.lastname@example.org) means a criminal only has to know someone's name to target a successful mail.
- Outsourced IT support that routinely use remote access services to remediate staff IT problems means that staff are quite likely to permit “IT personnel” to access their systems.
- Visitor handling routines generally permit a well-presented and well-informed stranger to be provided with an access badge for meetings or conferences in secure premises, even if they were not necessarily expected.
Awareness of social engineering and penetration exposure techniques is critical. If you know what the bad guys might try to do, then you have half a chance of spotting and avoiding it. Testing for susceptibility on a regular basis is also important. If authorised testers can find a way in, you can bet someone with mischievous or nefarious intent can do so too.
FICO’s own security team just ran an exercise where employees got an email with the subject line “Package Undeliverable.” The email included a link – but if you clicked on it, and many did, you were notified that you’d been duped!
At our meeting in July, we also heard from industry experts like Pete Wood (CEO of First Base Technologies) and his colleague Rob Shapland on the need and best practices in cyber security defence and the areas of exposure they have seen through their own red team (penetration testing and social engineering) exercises. Dr Jan Collie of Discovery Forensics talked about how to preserve cyber evidence. Dulcie McLerie of Eskenzi PR on how to handle media and publicity issues when faced with a cyber incident.
FICO is taking a much more active role in cybersecurity. We discussed our recent partnership with iboss, and the recent acquisition of QuadMetrics to develop an enterprise security score. Fair Isaac Advisors have been doing work with the award-winning and patented Abatis HDF, which in tests by Lockheed Martin proved "effective at stopping all attempts to write malware to the permanent storage of the device, regardless of system privilege."
FICO and its partners continue to raise the bar for cybersecurity technology. It’s up to every organisation to raise the bar with its weakest link — its own people.