Fraud Training (Not Technology) is the Achilles Heel of Cyber Security
Ignoring fraud training as the foundation of your cyber security strategy is like counting on Google to educate your kids. Technology is a critical tool in the fight, but without well educated users, guided by knowledgeable teachers, the tools are a waste of your money.
Thanks to President Obama’s state-of-the-union plug for increased cyber security, the Chinese hacking of the New York Times and Wall Street Journal, and the hacking of a prominent celebrities, America is waking up to the tangible value of virtual data. Awareness is definitely the first step, but it is only the tip of the privacy iceberg. Just as in the age before the internet, the only thing keeping employees from selling secrets or participating in fraudulent activity are the human controls that discourage the practice. But it’s all the more hair-raising to think of the amount of digital secrets an employee has access to at any given time. The new tale of a Reuters journalist gone cyber-rogue adds a chilling wrinkle to the perils of protecting the data that keeps corporate profits ticking.
Last Thursday, Matthew Keys, a Reuters social media editor, was indicted on charges of conspiracy, among others. Keys had previously worked for a TV station owned by the Tribune company, and according to the allegations, he leaked server login information of his former employer to a hacker group known as Anonymous. Apparently Keys began exploring Anonymous chatrooms as “just a reporter”, but eventually progressed to exposing sensitive passwords and promoting the idea of targeting the Tribune. Using this information, the hackers were able to enter Reuters’ otherwise secure systems and alter the existing text of a Los Angeles Times story from 2010, inserting out-of place colloquialisms and hacker-speak. Now, Mr. Keys is looking at the potential of over a decade in prison and up to three-quarters of a million dollars in fines. So what does this have to do with fraud training? We’re getting there…
Here’s the rub: the illegal access all happened after Keys had been FIRED by Reuters. In other words, a former employee who was never very high on the corporate food chain in the first place and was actually fired (not laid off), retained access that, in the right hands, allowed criminals to change the course of the news. Although this particular case doesn’t appear to have involved any financial transactions, don’t think for a second that there aren’t buyers out there willing to pay good money for a chance to break into your supposed “stronghold.”
Cyber Security is Less About Technology, More about Employee Fraud Training
No matter how tight your cyber security, the weakest link is always the human beings responsible for implementation. The lapse here wasn’t in the technology – Reuters used user-level logins and passwords to protect their network. The mistake here was the employee who failed to shut down Keys access the minute he was fired (or in the moments before), or the executive who failed to prepare for this common scenario. The lesson here is this: when employees leave your company under any terms, someone must be responsible and held accountable for disabling their computer access from all devices. This is a basic principle of successful fraud training that makes all of your investments worthwhile.
A large-scale enterprise can institute all the security barriers it wants, but without trust, responsibility, and knowledge, the corporation is only as strong as its Achilles heel. How are you addressing this type of exposure?
John Sileo is CEO of The Sileo Group and a fraud training expert. His recent clients include the Department of Defense, Visa, and Homeland Security. See his recent media appearances on 60 Minutes, Anderson Cooper and Fox Business.