It started because of spearphishing. When the Social Security numbers of close to 4 million South Carolina taxpayers were exposed — along with hacker-cherished credit card and bank account info — Governor Nikki Haley was quick to point to an outdated IRS security standard.
But here’s the sad truth. The state could have stood up the most impressive, seemingly impenetrable layers of security, and they would be worthless because someone essentially opened the door for them. This overwhelming amount of sensitive data — 74.4 GB — was exfiltrated simply because an untrained employee fell prey to a deceptive email, and clicked a duplicitous link.
This really was no triumph of evil technology; it was psychological hacking at its most insidiously effective — targeting the human, rather than the technical, links in the chain. And those links, we’re all quickly realizing, can be among your weakest. Once compromised, all that data was moved out using common exfiltration techniques.
A pity? Yes. Preventable? Absolutely.
There’s a strong sentiment among IT security experts that staff training is a waste of time. They throw massive resources in to the preventative tech. Or, in a somewhat defeatist spirit, they wait until an attack is underway, and then dig in to the emergency funds to repair the damage.
This reactive mentality is expensive both in terms of time and money. Imagine if South Carolina state employees had received a few hours training that helped them develop the common-sense reflex to simply mouse over a suspicious link and see if it passed their virtual “sniff test”. They would have spotted the tell-tale address construction that suggests the link is no good.
Click avoided. Email deleted. Data safe.
But instead of a relatively modest front-end investment in training, the state is going to dig deep to fix the damage. Mandiant, a renowned provider of data-breach response services, has scrambled a team and is hard at work on the fix. It’s a necessary step, but bringing in those heavy hitters can be pricier than hiring a top-tier law firm.
Consider the nightmare scenario of a company executive who gets caught in some kind of business crime. The legal blowback is a budget-draining headache. That’s why companies spend a lot of time up front screening their employees, why human resources implements business ethics training, etc. Because the best problems are the ones you never have to face.
The same goes for IT integrity. Why resign ourselves to the “inevitability” of security compromise? It’s said that the definition of insanity is doing the same thing over and over and expecting different results. How many major organizations — TJ Maxx, NASA, any number of health care systems — will make the headlines before the realization sinks in that there’s a better way?
We’re drawing a line in the sand. We know there’s a better way than “wait and see”. There are massive amounts of information that would be infinitely safer if the people who access it regularly just had a bit of extra spearphishing awareness training. We’re going to say that every time a big data breach makes the headlines.
We hope that doesn’t happen again anytime soon — but we don’t have our hopes up.
