The huge sums of money, the dozens of experts, and the constant vigilance of IT teams on their institution's systems is paying off, at least in terms of confidence of bank executives. A new report by Accenture indicates that 78 percent of them are “confident” in their organisation's overall cyber-security strategy. However, they are less confident in their employees' ability to maintain security; 52 percent “doubted” their organisation's ability to detect a breach through internal monitoring, while 48 percent said that the impact of an internal breach would be worse for them than that of an external breach.
And in fact, there is good reason for that concern: A recent study by Symantec and Ponemon indicates that no fewer than two-thirds of data breaches were caused by “human error,” and that each breach cost companies at least US$ 136 (£104). Breaches included “employee mishandling of confidential data, lack of system controls, responding to phishing emails and/or downloading rogue files, and violations of industry and government regulations,” among others. And the risk for banks is worse than for many other organisations. According to the report, costs for insider breaches in “heavily regulated” fields, including finance, were 70 percent higher than in most private companies.
Hence the need for a way to secure things not only from outside attacks, but insider cyber-foul ups. When confronted with the issue, the natural response of many executives is to “lock down” the system. After all, it works for threats from the outside; enhanced and increased security should do the same for insider breaches, accidental or otherwise. But there's a flaw in that logic: While the point of cyber-security systems to prevent attacks is to keep hackers away altogether, or at least disable them if they do manage to break through, workers in an organisation need to be able to access systems – freely, in many cases – and any attempt to stem that access could lead to an unacceptable loss of productivity.
In fact, a recent study by Dell indicates exactly that: 91 percent of business users reported a negative impact of productivity due to the limitations and friction due to employer security measures. The frustration was similar for both workers in the office and those seeking to do work remotely; 92 percent said they were negatively impacted by the limits of their organisation's remote-access policies. And 87 percent said they felt that security standards were a higher priority than employee convenience. On the other hand, tight security is popular in the IT department: 97 percent of security personnel see the benefits of security that takes into account the context of the access request (identity, geolocation, time of day or type of endpoint device, etc).
Clearly there are good reasons for tough internal security; on the other hand, employers certainly don't want those measures to negatively impact their business. Is there a way to strike a balance – to ensure that security remains tight, but does not prevent employees from doing their jobs? Here are some ideas:
1) Policy clarity: An interesting statistic in the Dell study has over 60 percent of IT pros saying that the greatest barrier to delivering a context-aware security approach is lack of “leadership awareness”. A lack of clear strictures on how users can connect to the network and what they can do when they connect leads to frustration, fumbling, and wasted time. A good context-aware security system will require users to connect to a system using a specific protocol (like a specific browser or app), from a specific location, during a specific period of time, and allow a specific set of activities (file access, copy/writing permissions etc.) for users. If everyone knows the rules, and IT ensures that everything is in place so that the rules work properly (making sure rights, accounts etc are up to date), things should flow a lot more smoothly.
2) Better supervision: When the rules are clear, employees can be expected to play by them – and instead of instituting security systems that limit access and hamper productivity, IT departments should be installing systems that better monitor compliance. Often, the security problems in an organisation can be traced to a single department – even a single individual – who has found a way to flout the rules in order to get their work done more quickly or easily. While such adroitness might be admirable in other contexts, internal security is no place for innovation.
3) Keep 'em separated: One way to ensure full security with almost zero impact on productivity is to keep users away from the trouble they can get into when they download files or connect to links that caused security breaches. Network segregation - a new concept in security – is similar to sandboxing, but goes further, checking not just for rogue activity in files and connections, but executing the code in these files inside an isolated environment. If the file/connection does not act the way it is supposed to – if it tries to execute code that it should not be executing – the system will keep that file/connection away from the rest of the network. The system can also be used to prevent use of files or other resources employees should not have access to – thwarting any unauthorised activity before anything gets damaged.
Although there is no such thing as a foolproof system, implementing ideas like these can go a long way to cutting down on internal security issues – and to extending and enhancing productivity in an organisation.
Contributed by Israel Levy, CEO, BUFFERZONE
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.