An article relating to this blog post on Finextra:
Eight million Brits share PIN numbers - survey
Over eight million Brits have handed over their Chip and PIN details to someone else in the last year, with a quarter of these falling victim to fraud, according to a survey for insurance firm LV=.
One of my favourite TV programmes is "The Real Hustle" where a team of ex-confidence tricksters show how easy it is to use social engineering to
gain access to other peoples' goods and money.
Of the three security areas that can be addressed, people, process and tools, people provide both the largest target and, due to reluctance to own up to being conned, the least likely to be discovered.
With the opening up of systems through b2c (business to consumer) and b2b (business to business), data is no longer isolated in a castle surrounded by a firewall "moat". Businesses need to understand not only the vulnerabilities of their own employees, to
risks such as fraud, boredom, pride and revenge, but also those of their customers - as illustrated by this article on PIN sharing. Their suppliers also hold an increasing amount of company information, whether product sales figures (how tempting to the competition)
or future strategy (ditto) through IT plans.
Mitigating the Risk
Whilst the risks will never completely disappear, there are some ways that the risk can be reduced:
- Clear policy - state what is expected in terms of security as a means of education and, should the worst happen, recompense
- Secure process - understand what processes are vulnerable and who is involved in them, that way risk mitigation can be prioritised and addressed
- Vetting - you would not let a known criminal into your home without watching them carefully, so why allow them to use your payment cards without watching what they do (attempting to stop them completely would be a waste of time, not to mention being unfair
to reformed criminals)
- Training - how many people know what they need to do, on a weekly basis, to keep their PC more secure?
- Tools - give them the right tools that do not impact their ability to do their jobs (otherwise they will simply work around them) but do make the organisation more secure