Network Security - Critical Data Breaches: How it is done and why user training is the most powerful preventative action.
I often find people who work in the I.T. Industry saying that they are trying to make changes for security reasons, and they just cannot get approval from managers who do not want to put resources to something that is not currently an issue.
For those not directly responsible for the security of a network but rather responsible for the high level resource allocation and final decision making, hacking and network breaching is not sitting in front of a "matrix-like" screen and doing amazing things that barely anyone understands, hacking is 99% social engineering.
A quick example would be someone getting into your bank account. Imagine you are on the street and someone in a panic asks to use your phone as it is an emergency. You then provide your phone and they make a call but no one answers, so they return your phone and move on. What could have happened here is that the hacker has looked at your home screen and saw a "Blank" bank app, quickly sent themselves an email using your email app and they also made a missed call to one of their own cellphones. The hacker now knows which bank your accounts are likely with and your cell phone number and your e-mail address (most likely your online banking username).
They then phone you and the conversation goes like this "Hi, I am calling from "blank" bank about possible fraud and just wanted to confirm some security questions." They then start asking you the top 10-15 security questions set as defaults for almost all websites and secure services such as "what is your mother's maiden name" or "What is your pets name". While you are being asked these questions the hacker is likely on that banking website, using the "forgot your password" feature and they are having you provide the answers over the phone.
This is being done to business as well. Even more terrifying is that a recent ruling in a court case set a precedent for the company to suffer treble damages if the breach of data is caused by an employee willfully giving it out (whether or not they were tricked) as this is not a data breach and it is instead willful disclosure of confidential data. It is more important than ever to educate users around the methods used in the attacks and implement the necessary security protocols and procedures. Never forget that famous saying "No one can ever tell you how good their network security is, they will only ever be able to tell you how bad it was."