How to Secure Data by Addressing the Human Element

[InfoSec News <alerts () infosecnews org>]

http://www.cio.com/article/713753/How_to_Secure_Data_by_Addressing_the_Human_Element?taxonomyId=3089

By Thor Olavsrud
CIO
August 15, 2012

Regardless of the security expertise and resources you apply to securing 
your assets, you are unlikely to achieve much unless you focus on the 
most vulnerable element of your organization: your employees.

"Computers have become much more secure over the past 15 years, but 
humans have not," says Lance Spitzner, training director for the 
Securing the Human program at SANS Institute, a cooperative research and 
education organization focused on security certification. "The human 
really has become the weakest link."


When It Comes to Security, Humans Are Low-Hanging Fruit

Because the technology itself is no longer necessarily the low-hanging 
fruit, malicious hackers are finding easier ways to penetrate 
organizations, like social engineering or preying upon employees with 
poor password discipline. Employees commonly simply don't know how to 
write strong passwords, how to comply with data protection policies or 
share data securely, Spitzner says.

"We define social engineering as understanding what makes a person 
think, tick, and react and then using those emotional responses to 
manipulate a person into taking an action that you want them to take," 
says Chris Hadnagy, a co-founder of security education organization 
Social-Engineer.org and operations manager at security training and 
tools firm Offensive Security. Hadnagy is also the author of the book, 
Social Engineering: The Art of Human Hacking.

[...]