A new whitepaper from security company Forcepoint has raised the question: as more corporate data moves out of sight and into SaaS-style cloud services – which are increasingly used to drive business agility and reduce costs – how do security teams maintain visibility on where corporate information is being used?
Forcepoint's “The 2017 State of Cyber-Security” report says, “Without this insight, people-based vulnerabilities destabilise even the most secure networks and greatly reduce the efficacy of cyber-security investments.”
What Forcepoint means when it talks of “people-based vulnerabilities” is the risk of a sales person looking to take sales leads onto his next role, or a disgruntled system administrator who wants to delete operational information and disrupt a company's operations. Essentially, it's the risk of people taking data beyond the company ring-fence when it shouldn't be.
SC Media UK spoke with Richard Ford, chief scientist of Forcepoint, who explained what the company suggests as a logical next move to combat the issue.
Ford, a security veteran with over 25 years in the industry, said, “In order for security to become a business enabler, we need to universally agree that human behaviour is very difficult to change. Therefore, we should build products which centre around the human, rather than expecting the human to modify its behaviour so the security product works.”
Ford is referring to a phenomena known as ‘shadow IT', where employees typically look for ways to circumvent corporate IT rules as they feel a particular rule is stopping them from doing their job. Typically, someone might sign up for a Dropbox account to transfer sensitive company information. Or use a proxy to access a banned website which they feel might have have the information they need to do their job.
And the issue isn't expected to go away anytime soon. According to Gallup's State of the American Workplace survey, “The number of employees working remotely rose by four percentage points between 2012 and 2016, from 39 percent to 43 percent, and employees working remotely spent more time doing so.”
And while this is happening, we can most likely also expect a significant amount of cloud SaaS software be used to attract, engage and retain employees who are looking to work remotely or on the move. If you're working remotely, you most likely won't be able to access the application which runs on the corporate network.
“Remote employees (those who work at least two days a week from home) report lowered stress levels, increased morale, better productivity and a greater sense of overall worth compared to in-office workers,” says the report. So HR departments are most likely going to carry on wanting to allow for employees to work remotely to “reduce employee turnover, decrease operating and real estate costs and leads to more highly-qualified potential hires”.
The report noted that a recent survey found “58 percent of human resource professionals cite flexibility as the most effective way to attract new talent”.
So how do we get around this? Ford told SC it is about “event-based risk”, and understanding the context of why things happen. So, if someone transfers a client list via WeTransfer, should they have done that? Ford argues that at the moment security products are great at the “what” rather than “why” it happened, meaning, lots of products can log, while few offer a reason why the event happened.
“A picture is more interesting than a hand-drawn sketch,” says Ford, who was essentially trying to explain that we need to train machines to spot intent, ie, is someone doing something malicious.
SC asked how Forcepoint intends to do that – that is, how can you train machines to learn a human's intent? Ford unfortunately did not deliver on any concrete answer of how Forcepoint does this. Presumably he's trying to protect his own company IP.
But overall, Ford concluded by saying that we shouldn't be collecting more information, rather it should be better information which helps security teams make more informed decisions.
And it would appear he's on the right track: according to the Institute for Critical Infrastructure Technology, in 2015, “only 17 percent of security professionals were aware of an insider threat on their network, even though enough anomalous activity suggested that insider threats occurred in 85 percent of organisations”.