Check Point Points To Social Engineering Blind Spot

Continued from page 1

Security Training

So is it down to the lack of upfront security training for new staff, that we have a such a threat posed by social engineering?

“I am not certain it is about a lack of security briefing in the inducting process,” said Greer-King. “I think security briefings are now part of the overall induction process, and I do think there is (usually) a bit of security thrown in there.”

“However I do have to wonder about how in-depth the security briefing actually is,” said Greer-King. “Does the organisation do this security briefing once and forget about it? Or do they do it annually? And is annually enough?”

“A good policy is to give staff a regular security questionnaire. They have to answer it correctly and in a timely manner, or they lose their access priveledges,” he said.

Social Networking

Besides phishing emails, the Check Point survey also found that social networking websites are the second (39 percent) most common source of social engineering threats as they can expose personal and professional information, followed by insecure mobile devices (12 percent).

So what is the answer? Many organisations for example have opted to ban social networking at work altogether.

“Social networking has grown enormously over the past few years, and we are now increasingly accessing it from home or at work, using either a personal or work device,” said Greer-King.

“Some organisations are banning social networking sites outright, saying it is simply not secure so we will block it,” said Greer-King. “This security argument is essentially correct, but we are now increasingly using social networking to achieve business benefits, so we have to ask is it really practical nowadays to ban it?”

“For example a lot of businesses access LinkedIn. They do this to see a profile of the person they are about to interview or speak with,” said Greer-King. “It is a very confused area, and it really depends on the organisation involved. The luddite approach can be totally about the security risk it poses, but these sites are often used by your organisation’s wealth creators, i.e. salesman, marketing etc, so if you are stopping them being effective, banning social networking websites is not practical.”

Insecure Devices

“Regarding insecure mobile devices, Greer-King explained that many people, including senior management, are asking the IT department if they can access their corporate email, or back-end systems, on their own personal devices such as an iPad 2.

Greer-King said that Check Point realised this and eighteen months ago created Check Point Go (formerly Arba). This is essentially a virtual security environment on a stick. The user plugs in the USB stick into their device, which contains all the necessary security programs. They can then access the corporate network as it creates a mobile firewall.

The company is about to add new features to this, but Greer-King was unable to provide any more detail about this ahead of the announcement.

Blended Security

So does Greer-King have any concluding advice for today’s hard pressed IT manager?

“First off it is good that we are now increasingly conscious of the people aspect, and the risks they pose,” said Greer-King. “Yes it is important to have the right security infrastructure in place, but nowadays we are increasingly talking about blended threat management.”

“We are now seeing much more requirement for blended security infrastructure,” said Greer-King. “Organisations are typically still tending to focus on reducing costs. In the past they tended to have 14 different security systems installed, but now they see a way to reduce costs by opting for a complete solution from one source.”

“The issue we are seeing is about the need for a coherent infrastructure protection solution,” concluded Greer-King. “Years ago it used to be about different silos of protection, but in the last three or four months it is really changing, and there is huge upturn in organisations seeking a complete technological solution. Silos are not sacrosanct now. It is all about driving down costs, whilst still protecting against social engineering.”