Mav Turner explains how to protect your business from itself
Sometimes the greatest threat to a company is not malicious. In fact, a survey by SolarWinds found that over half (53%) of federal IT pros identified careless and untrained insiders as the greatest source of security threats. IBM’s Security Services 2014 Cyber Security Intelligence Index echoed this, revealing that over 95% of all incidents investigated recognized human error as a contributing factor.
In this context, ‘human error’ implies the worker doesn’t have bad intentions, and, in most cases, this is true. However, it also presents a challenge to IT departments to figure out how to safeguard against mistakes people make.
While top of the line security systems can help prevent technical threats, businesses need to protect the network from employees unwittingly putting it at risk. Employees who are using the systems day-in, day-out, need to better understand the dangers associated with everyday mistakes such as weak passwords, accessing unsafe websites, copying sensitive data to personal devices, and using unsecure cloud storage services.
Unknowingly, many end users can pose a major threat to the security of an organization by falling victim to simple traps. Human error creates a plethora of cybercrime opportunities such as phishing, watering hole attacks, and other social engineering tactics. These threats don’t necessarily rely on technical vulnerabilities, but rather simple malware and the psychology and behavior of everyday users lured into taking an action.
It seems simple, but the best way to mitigate the risk of human error is to make staff aware of the impact their actions can have and put security at the heart of their responsibilities. For example, staff wouldn’t leave the office unlocked, but they would happily access sensitive data via public WiFi without a second thought. Implementing technical controls to limit user permissions is necessary, but not failsafe. The best way to protect your company and reduce risk is a combination of technical controls and employee education.
Teaching an Old Dog New Tricks
Employees are more likely to support policies and procedures once they fully understand the consequences and reasons behind them. The best way to implement this is through regular training. IT and HR departments need to work closely together on an ongoing basis to develop workshops to implement this human-centric approach to data security. Ensuring training is thorough but easy to understand is key to its success. Additional buy-in from senior management is also required to allow employees to take the time out of their days to attend such sessions.
It is not sufficient for employees to attend one-off inductions or employee orientations as IT security is constantly evolving. Instead, it’s more valuable to conduct regular internal security workshops which will help employees learn about security breaches, their potential impact on the business’s network security and how they can prevent them in a relevant and engaging way.
During the workshops employees can examine high profile security breaches, such as JP Morgan and Sony, which will drive the importance of security awareness throughout the business. Educating employees could even encourage people to become aware of their own personal IT security. They must be taught to be responsible and accountable for reducing human error.
What is being taught at training sessions is fundamental and consistency across the business is an essential component to network security. In a survey of IT pros commissioned by SolarWinds a surprising 39% of organizations either do not have defined security best practices, or if they have them, do not regularly follow them. By ensuring a consistent policy is implemented, and regularly reviewed to ensure it is meeting requirements, IT professionals can ensure all employees are on the same page. Ultimately this will help mitigate against human error as employees will become more aware of the consequences of their actions.
Better the Devil you Know
Understanding how colleagues are putting the network at risk by boosting monitoring capabilities can help IT pros reduce human error within the business. An organization-wide network or monitoring platform will allow the IT department to be on the lookout for signs of abnormal behavior, such as opening ports or downloading from suspicious, but credible-looking sites. This will help IT pros better understand how employees are using applications and the network, so they can be better educated about the risks they are unwittingly taking.
Monitoring can be paired with automated responses to minimize the risk of human error. For example a number of email management platforms scan mail for not only viruses, but phishing and malware patterns; removing the triggers for social engineering threats before they pose a threat to employees.
While it’s safe to say no individual is ever perfect, there are preventative steps that can be taken to avoid human error. Firstly, IT and HR need to work together to get regular education and training scheduled for employees so they can understand the main sources of defense against mistakes. Secondly, IT pros need to be implementing new and existing security tools to help better protect the business. Together these approaches will help reduce human error as a contributing factor to security incidents.