Reason #1: Because the human being is becoming the primary attack vector.
Over half of all data breaches involve some kind of failure in security awareness. That means human beings are often the weakest link; we have become the primary attack vector. The majority of these attacks involve spear phishing, namely, online fraud attempts directed at specific individuals or companies.
Social engineering is often the first step in an attacker's plan. You've heard the typical scenario. Somebody pretends to be someone you know, and then gets you to click on something that will deliver a damaging payload. Think about the critical steps along the Lockheed Martin Cyber kill chain - the attacker builds a portfolio of information on the target and exploits different vectors to gain access to sensitive and valuable assets. Attackers can gather loads of information from social networks and even sites like ancestry.com and alumni associations. The attacker might pose as a far-flung relative, a former classmate, or a colleague from the firm you worked at a decade ago before presenting the lure. And often enough, we click the link and are stung.
How do you nurture your inner security geek? Be wary about the information that can be gleaned from your publicly available information or through random contact with you. Take an extra moment to wonder why that person is approaching you now; ask yourself - does their story hold water? Be aware of social engineering, tighten up your defenses, and don't take the bait.
We often think of information security as the realm of highly technical geeks, incomprehensible and happy to remain so. But the truth is that each one of us, as we learn to navigate an increasingly digital, mobile and social info-scape, is getting in touch with our 'inner security geek.' Information security has broken out of the confines of the technically elite and is becoming part of everyone's job and day-to-day life. And that's a good thing.
In this slideshow, Yo Delmar, vice president of GRC, MetricStream, has identified five reasons why information security has become everyone's responsibility, not just the IT department.