Organisation: Know thy employees to detect and mitigate security risks
Cyber-security threats are continuing to increase around the globe, including at small and large organisations in the United Kingdom says Mat Ludlam.
Mat Ludlam, regional VP, EMEA, Courion Corporation
According to the UK Government Communications Headquarters, the scale and rate of cyber-attacks shows little sign of slowing down. In a 2014 report, the Department of Business Innovation and Skills (BIS) reported 81 percent of large organisations had experienced some type of security breach.
Additionally, the survey (BIS 2014 Information Security Breaches Survey) reported these breaches cost each organisation, on average, between £600,000 and £1.5 million.
In sum, organisations need to employ a variety of strategies and tactics to protect their data and ultimately their bottom lines from common security attacks. One of the easiest and most overlooked steps in managing and controlling the “danger” within organisations is - employees.
The reality is that employees don't need a criminal mindset to pose a real threat to the companies for which they work. In the world of cyber-attacks, apathy and ignorance are close cousins to the nefarious disgruntled former or current employee who has an axe to grind.
With this in mind, organisations need to be extremely cautious and meticulous about assigning user privileges. The general rule of thumb is access on an “as needed” basis, which in practice limits user privileges to the ones employees need to perform their jobs. Additional monitoring is necessary to oversee user activity, particularly as it relates to classified or personal information.
Another way to determine best practices around access privileges is gaining a better understanding of the various types of employees who “reside” in most organisations. As a security team, your focuses are on role-based access, segregation of duties, and making sure the right people have the right access to the right things at the right time. But what about the employees within other functions who often fly under the radar? In many instances, these employees are the ones, sometimes unwittingly, exposing their organisations to uncommon risks.
Here is a look into those employees and how security teams can mitigate their risks.
Curiosity killed security
In today's high-tech, Bring Your Own Device workforce, most organisations have a group of employees who fall into the “contemporary creative” category. While curious about the latest technology, these employees often look for creative ways to problem solve which, in many cases, can lead to taking shortcuts on security.
While these employees don't intentionally set out to open the doors to cyber-attacks, they open their organisations' networks to data breaches by bending the rules and using unapproved new technology.
The security team must set clear parameters and rules around what devices can and cannot be connected to the networks.
Disgruntled and dangerous
Businesses large and small need to be on the lookout for employees who have access to highly sensitive information who are on the way out. These employees often take proprietary information and hoard it before leaving their employers. Once they have this information, disgruntled employees can either turn it over to a competitor or simply release it to breach security protocol.
To mitigate the risks associated with this group, IT and security teams must have the right visibility into processes to see when employees are downloading critical information that is outside of their roles. Look for accounts with privileged access and closely monitor all activities.
New kid on the network
Interns have an important role in the growth of many organisations and often provide long lasting benefits to companies as permanent, full-time employees. Depending on the team and executive they support, interns may need to access certain applications and high-level information.
For interns, ignorance may truly be bliss. Without proper training, they will not understand the risks they pose to the system. Furthermore, as a temporary member of the staff, IT teams may not recognise their termination and, to that end, not take the proper steps to cut off their access.
Interns need the same level of training to enforce the importance of being security-minded and knowing the risks they pose to the system. Security teams also need to keep track of internship end dates to ensure access is cut off in accordance with the work term.
An apathetic approach
Apathetic team members aren't necessarily criminally minded. They are, however, too lazy and unconcerned to learn important security policies or new systems to help keep themselves and their organisations safe.
By using easy passwords, not keeping them secure, and not changing them often enough, the apathetic employee makes it easier for the real bad guys to penetrate networks and access important data. Furthermore, apathetic approvers may grant access without asking questions.
Intensive training, including in the onboarding process, is one of the key components to safeguard your networks against this type of apathy. IT teams must educate these employees on all security protocols and make sure they understand the importance of being a security-minded culture. Ongoing processes, such as implementing automatic password updates, security updates and news, and regular mandatory training programmes, also help turn apathetic employees into educated ones – greatly minimising risks and building a more participatory workforce.
Contributed by Mat Ludlam regional VP, EMEA, Courion Corporation