At CDW, we focus on managing risk by protecting the confidentiality, availability and integrity of our information assets. We accomplish that with a three-pronged approach:
- People: Information Security is more than a department.
- Process: Our foundation is the National Institute of Standards and Technology (NIST) cyber security framework.
- Technology: We have strong partnerships with best-of-breed vendors.
What is most important among those three points for protecting our data? People.
CDW, like many companies, makes a large technology investment to protect our network, systems, applications and data. What companies must remember when planning their cybersecurity efforts is: People are the weakest link and the easiest way for attackers to gain access.
So, how do the “bad guys” target people? Through social engineering, attempting to manipulate behavior to gather information, commit fraud or gain system access. The most common forms of social engineering are malicious phone calls and emails, practices commonly known as phishing.
Phishing masquerades as an email from a trustworthy entity and typically attempts to trick the recipient into clicking a link to a malicious website, opening a malicious attachment and/or providing sensitive information to the sender. It’s important to understand that there are various types of phishing attempts:
- Spear phishing targets a specific individual or organization.
- “Whaling” targets a “big fish” in an organization, such as a senior executive or other high-profile individuals.
What’s the Risk?
Significant threats, massive data breaches and headline-making security incidents are more and more common. Even so, many people still ask, “Can anything bad really happen?” The answer is YES. Here are some examples:
- Fraud, which is wrongful or criminal deception intended to result in financial or personal gain, can result. Social engineering attempts to commit fraud include an attacker sending communication disguised as a customer to commit order fraud, an attacker sending communication disguised as an executive to direct a specific action, or using a stolen credit card number.
- Malware is software that is intended to damage or disable individual computers or entire computer systems. It requires action from the user, such as clicking a link in an email or opening an attachment. Malicious actions that result from malware include stealing data from a computer, logging a user’s key strokes to steal passwords or account information, or taking over a computer as part of a network of compromised machines that are controlled by a third party and used to launch attacks.
- Ransomware also requires user action, and when installed encrypts certain file types or an entire hard drive. It displays a message that a ransom must be paid by a specific deadline or the user will remain locked out of their computer, perhaps forever. It can infect any attached file shares or mapped drives and be spread through both malicious attachments and links.
This should clearly demonstrate that information security is not the job of one person or one department. It is the responsibility of every individual working in any organization.
While CDW employs numerous tools to protect its data and systems from these threats, an educated workforce that understands and acts on its responsibility is the most important component of how we keep information and resources secure.