A tale of IT security, human error, and how curiosity killed the proverbial cat

Have you noticed lately that almost every topic of conversation revolves around IT security, in one way or another? Whether it’s discussing clandestine sleeper agent topics that sound more like Mission Impossible movie plots, or the fear and uncertainty of backups and how they relate to major disasters—like the Walking Dead is somehow a training video and not a TV show.

But all that aside, a far more poignant topic exists that many seem to miss—something less nefarious, yet still dangerous, to all organizations—and that is, end-point security. As news stations revel in the stories of Russian hackers, election interference, DDoS attacks, and more, the plain truth of the matter is that for the most part companies with good security infrastructure can avoid most incidents with little to no issue, due diligence being the key to avoidance.

But all the firewalls in the world won’t protect you from the people who come and go every single day from your office. To be fair, I’m not alluding to some sinister plot of rogue spies trying to infiltrate your business from the inside. It’s more just the issue of people, dumb luck, and human error, all of which can cause havoc for IT teams.

For instance, the other day I was reminded of a story I was once told by our friends at Trend Micro—a tale of cyber security that was so simple, yet so ingenious, anyone would have fallen for it. The story begins with a major financial institution—one that bragged that its security was so robust that no one could ever penetrate its system. But, as we all know, cockiness can sometimes come back and bite one in the ass.

So, to prove this financial institution wrong, a security expert was hired to try and find holes in their IT security, all the while being told that no one could ever penetrate its layers of protection. And, as the test went on, they weren’t wrong—getting in from the outside was particularly difficult. But this is where human error begins to play a role in this ingenious scheme.

The expert realized that it wasn’t the outside-in scenario that was weak, it was the inside-out scenario that was the weak link in its armor. To prove his point, he loaded some malicious code onto a USB key and simply placed it on a bench outside in the smoking area. Now, the game became one of waiting.

As the minutes went by, it took no longer than a half hour before someone found the USB key and let curiosity get the better of them. They walked into their office, inserted the USB key into their computer to see what was on the drive, and voilà—instant access to all internal files.

Now, luckily this wasn’t a real issue—it was one manufactured by a security consultant who was hired to prove vulnerability. But the lesson was crystal clear, human curiosity paired with human error can be devastating if not addressed.

The outcome was simple. The company immediately engaged a security partner with end-point security expertise, implemented an end-point security infrastructure, and educated its entire staff on the dangers of IT devices and the possible consequences.

So, with all the IT security horror stories out there, remember that it’s usually the simplest of things that result in the most devastating consequences. After all, it’s probably never going to be Anonymous who brings about an IT security emergency within your organization. Most likely, it’ll be an employee who plugged in their MP3 player into their office desktop computer, accidentally introducing malware from a torrent where they got the latest Beyoncé album.