Читать книгу You CAN Stop Stupid - Ira Winkler - Страница 30

Criminal acts are unfortunately a part of business operations that need to be accounted for. There are many types of crime that affect an organization. Some crimes are the theft of equipment. Others involve embezzlement of money. Still others include a robbery of an employee traveling for work or a robbery intended to steal company assets. Whatever the type of crime, it should be something to account for in your risk reduction programs.

Some users can be malicious and have clear intent to cause loss, while others are normal users who simply want to perform their ordinary functions. Regardless, both are frequently a conduit for crime. The studies cited in Chapter 1, “Failure: The Most Common Option,” indicate that in the majority of significant computer-related losses, users were the primary attack vector. This impacts the tactics you need to use to mitigate the threats.

From a more comprehensive perspective, crime impacts a variety of operations. Disrupted supply chains, depending on their nature and scope, can cause operations to cease. Theft of funds can cripple an organization's cash flow, which can cause an organization to go bankrupt. Data theft involving intellectual property cause organizations to go out of business, particularly when it enables competitors to make the same products at significantly cheaper prices. Data theft involving personally identifiable information (PII) can cause significant fines and embarrassment for an organization.

In general, all of these crimes involve another category of UIL as well. It can be physical, computer usage, user error, and so on. UIL in the criminal category has specific consideration in how you potentially stop the attack from reaching the user and how to mitigate the loss resulting from the crime.

For example, if you know criminals may attempt to steal equipment from traveling employees, you can perform awareness campaigns to ensure that users know how to best protect the equipment during travel. If you assume that at least one user will inevitably fail to protect the equipment, you know to encrypt devices and enable remote data deletion capabilities, also known as wiping. You may also provide the employee with travel equipment that stores only the data needed during the trip. Acknowledging that crime is a possibility allows you to prepare countermeasures that might not otherwise be considered.

All organizations have exposure to varying levels of criminal activity. If you consider how to mitigate UIL from any perspective, you can solve most of the problems, as users still have to initiate the loss. Then you can focus on addressing the finer points.

A couple of types of crime that warrant additional scrutiny are user malice, which is generally an internal attack, and social engineering, which is commonly an external attack. The following sections will examine these types of crime more closely.