“The cost of global cybercrimes now exceeds the revenue from the global drug trade,” said David Anderson of consulting firm CliftonLarsenAllen at the start of his presentation to RBMA members on information security at the RBMA Fall Educational Conference in Seattle. “Every second of the day, people are out there looking for the weak link. Sixty percent of the time,” he said, “they are getting in with the access of a legitimate user.” He stressed the importance that businesses and their vendors maintain protocols and conduct comprehensive user training to protect the integrity of their data because more often than not, the weakest link in the system is human.
Anderson’s job is to review the security of organizations’ information systems and one of the ways he does that is to by playing the role of a “white hat” hacker who deliberately tries to break into systems in order to test them. “Ninety percent of the time the weakest link in the system is a vendor system,” he said. “And the most successful intrusions were not considered highly difficult,” he added.
Commonly, when working with third party systems, access may be set at higher levels and certain security features turned off to make it easier for the users. Unfortunately, this also makes it easier for hackers.
“Hackers want to abuse the systems in place,” he said. “They will go after the weak link in the system, whether that is you or a business partner.”
As more vendor systems are becoming cloud based, and there is more interoperability between systems, hackers are breaching one system to gain access into additional systems.
Combatting this challenge cannot be done simply with more secure systems because of the human element to security. He discussed several examples of how systems are being breached every day. In an audio recording, Anderson impersonates a vendor and asks a user to manually download a system update. Without hesitation, the woman follows his instruction.
So regardless of the system’s security features, the human element must always be considered in information security. Anderson counsels that training is critical in maintaining data security, though not always easy. “In addition to training on protocols, it’s important to train all users to be aware and savvy,” he concluded.