The human firewall
During the last decade a lot of money has been spent trying to protect information systems. Firewalls, intrusion detection systems, two-factor authentication and other technical controls sometimes make good business sense when applied as part of comprehensive security program. But what we’re not good at yet is the human firewall.
Scott Wright, an Ottawa-based security consultant and publisher of securityviews.com explained,
“Despite having spent 12 years working with constantly improving security technologies, I’ve seen an increasing trend toward generally greater risk and losses to businesses and home computer users. All signs point to the human factors as being the weakest link. It doesn’t matter how well you make the valve in a rubber tire to keep the air in, if the rubber is not consistently good quality, it can be easily punctured. So, I felt that it was important to start working on this problem in an innovative way that had a chance of making a difference in effecting cultural change across an entire organization.”
In addition to speaking and writing on security awareness, Wright also conducted some interesting research:
“The Honey Stick Project was originally devised as a way to gather data about how well people handled a simulated risk scenario – that of an infected USB Flash Drive. Because these devices can contain targeted threats or viruses that can evade common anti-virus programs, people should not plug unidentified USB drives they find in public locations into their computers at work or at home. In fact, it’s a good idea to only use your own device, and not share it with other people, to reduce the risk of infection.
The devices contain simple and safe HTML files with no active programs. I rely on people simply double-clicking on a file when the device is plugged into their computer to load the file. As long as they are connected to the Internet, and the user hasn’t taken any precautions to prevent the the browser from starting, an event is logged at my web server. After deploying 50 devices in places like Ottawa, Toronto, Tremblant and Las Vegas, over 60% of them have been used, which indicates that the finder didn’t do anything to prevent their computer from becoming infected. This tells me that at least 60% of the people who find these devices make poor risk decisions that could result in their home or office computer becoming infected with a virus or botnet.”
Perhaps it’s time we put more emphasis on security awareness training?