culture, and so on.
Crime
Criminal acts are unfortunately a part of business operations that need to be accounted for. There are many types of crime that affect an organization. Some crimes are the theft of equipment. Others involve embezzlement of money. Still others include a robbery of an employee traveling for work or a robbery intended to steal company assets. Whatever the type of crime, it should be something to account for in your risk reduction programs.
Some users can be malicious and have clear intent to cause loss, while others are normal users who simply want to perform their ordinary functions. Regardless, both are frequently a conduit for crime. The studies cited in Chapter 1, “Failure: The Most Common Option,” indicate that in the majority of significant computer-related losses, users were the primary attack vector. This impacts the tactics you need to use to mitigate the threats.
From a more comprehensive perspective, crime impacts a variety of operations. Disrupted supply chains, depending on their nature and scope, can cause operations to cease. Theft of funds can cripple an organization's cash flow, which can cause an organization to go bankrupt. Data theft involving intellectual property cause organizations to go out of business, particularly when it enables competitors to make the same products at significantly cheaper prices. Data theft involving personally identifiable information (PII) can cause significant fines and embarrassment for an organization.
In general, all of these crimes involve another category of UIL as well. It can be physical, computer usage, user error, and so on. UIL in the criminal category has specific consideration in how you potentially stop the attack from reaching the user and how to mitigate the loss resulting from the crime.
For example, if you know criminals may attempt to steal equipment from traveling employees, you can perform awareness campaigns to ensure that users know how to best protect the equipment during travel. If you assume that at least one user will inevitably fail to protect the equipment, you know to encrypt devices and enable remote data deletion capabilities, also known as wiping. You may also provide the employee with travel equipment that stores only the data needed during the trip. Acknowledging that crime is a possibility allows you to prepare countermeasures that might not otherwise be considered.
All organizations have exposure to varying levels of criminal activity. If you consider how to mitigate UIL from any perspective, you can solve most of the problems, as users still have to initiate the loss. Then you can focus on addressing the finer points.
A couple of types of crime that warrant additional scrutiny are user malice, which is generally an internal attack, and social engineering, which is commonly an external attack. The following sections will examine these types of crime more closely.
User Malice
Malice is the intent to cause loss to an organization. User malice can take many forms. Sometimes it simply involves theft for personal gain. This theft can be money, physical equipment, data, other valuables, and so on.
Other times people are motivated to cause loss out of revenge for a variety of perceived wrongs. Many organizations are notorious for poor working conditions or their general mistreatment of employees, and it is inevitable that some employees may act out. In these instances, the people might commit theft, destroy property or data, or sabotage the organization's processes or reputation to reduce sales, productivity, or efficiency.
According to Dr. Martha Stout in her book, The Sociopath Next Door (Harmony, 2006), sociopaths make up approximately 4 percent of the population. The FBI estimates that an additional 1 percent of the population will become psychopaths (see www.leb.fbi.gov/articles/featured-articles/psychopathy-an-important-forensic-concept-for-the-21st-century). Combined, this means that 5 percent of the population might do harm if given the opportunity. This can take the form of the previously discussed personal gain or revenge. However, some of these people sometimes just create damage for their personal entertainment.
Frequently, malicious users may work with outsiders. Malicious users can solicit the support from the outsiders to assist with their acts. Alternatively, they can facilitate the crimes of outsiders who approach them. There are a variety of reasons for both scenarios. Whatever the scenario, it is important that you acknowledge it as a possibility.
NOTE Not all user malice comes from greed or hostility. Some users are coerced or manipulated by outside parties. Others find themselves in a desperate financial situation and perform actions that they normally wouldn't. It is important to recognize that it isn't only disgruntled users who can become malicious users.
Malice has caused loss across every industry, so it is important to recognize that UIL may not always be the result of some type of unintentional action. There is frequently a focus on awareness to stop unintentional UIL, but any security or loss mitigation program that does not also consider and mitigate actions due to intentional UIL will fail. Even though an aware user might be one of your best defenses, an aware user can also be your worst enemy if their intent is to use their awareness against you.
Social Engineering
Social engineering is the broad category of attacks typically associated with the computer security field. However, social engineering can take a variety of forms and can be used to facilitate other crimes beyond just computer-based ones. Social engineering can be defined as manipulating an individual to take an action they would not normally take. In the computer field, it is essentially any nontechnical attack to gain access to a computer.
People perceive social engineering as tricking someone into providing them with information or access. In many common scenarios, that is an accurate working definition. This can be achieved through telephone calls, emails, in-person interactions, online chat systems, and so on.
Other forms of social engineering include people essentially sneaking into locations. Dumpster diving, where you literally go through the trash to find useful information, can be considered a form of social engineering. Some people don construction hard hats and reflective vests or utility worker uniforms and walk into a facility. Other people check doors and gates to see if they are locked. Still others try to follow people into facilities through tailgating.
While these tactics can be used to obtain computer access, clearly they can be used for a variety of other types of crimes. A company once tasked us to perform a social engineering simulation to see how outsiders can gain access to a building, because there had been a tragic workplace shooting, where a man had snuck into the building and shot his ex-wife. These things unfortunately can happen.
From a computer attack perspective, social engineering frequently takes the form of phishing, where someone sends a message attempting to get a user to download malware or to disclose login credentials or other useful information.
Sometimes criminals, frustrated with failing to technically hack an organization, will resort to pretext telephone calls attempting to get users to disclose usernames and passwords. Pretext phone calls are also used for a variety of other nefarious purposes to support crimes, such as trying to defraud people for money with fake Microsoft support, claiming the people owe taxes and immediate payment is required, and false claims of needing medical insurance information from the elderly.
Another form of social engineering involves criminals creating USB drives loaded with malware. They place the USB drives in the vicinity of the target and hope that someone from the targeted organization will plug one of them into a computer inside the company. Clearly, this
