Following a particularly bad year of security breaches it would be easy to assume organizations have learnt the error of their ways, and the fear of discovering the next security breach is now safely behind us. But not so.
Due to its nature, many IT and security professionals find discussing their internal security uncomfortable, especially when it comes to the behaviors of their own users. This makes it difficult to get a better understanding of the organization’s internal security strategies and make the necessary changes in order to prevent another ‘year of the breach’.
A recent IS Decisions’ report provides an insight into the views of security experts from a variety of industries on internal security, the findings of which make a particularly strong case for a ‘zero trust’ approach.
As the nature of the workforce goes mobile, there is a stronger need for employees to be able to access data quickly and on the go. Mobility of employees is proving to be a nightmare for IT departments, who need to ensure strong data security whilst also allowing their employees the flexibility they need with minimum frustration. The solution here is to give them no option but to work within restrictions, in a way that does not impact ease of use.
One IT manager respondent to the report backed this up: “Generally users don’t enjoy anything that takes time. Implement a solution that they don’t notice or that gives them no other choice but to obey procedures. The growth of technology has made managing security in an organization easier, with more user-friendly solutions that do not impact users.”
Remember, Users are Only Human
Although it’s important for organizations to take a strong stance against insider threats, a user is still only human, with the potential to make mistakes. The zero trust model, which promotes ‘never trust, always verify’ as its principle and recognizes the need to better manage access for all authenticated users may sound like a tough stance to take, but the research shows that IT managers are slowly coming round to the idea. Most respondents agreed that the employee is their greatest security threat.
However, John Giordiano, IT manager at The Scenic Route expanded on this to explain that his biggest concern is not only employees but also “contractors and clients leaking company data either knowingly or unknowingly”.
If an organization takes an appropriately strong stance against insider threats, and ensures all login rights are controlled and monitored according to the business requirements and role of the user, they can still allow their employees to work with flexibility as normal but with no more access than is necessary.
It’s All About Education
Adam Cotton, cybersecurity analyst at Criterion Systems, believes the greatest threat to any organization is “uninformed or untrained users.” He adds that, “Many compromises take advantage of users that don’t take proper precautions or that can be persuaded to give out information.”
An additional benefit of ‘zero trust’ is that, if you are actually enforcing restrictions, users are educated in how they should behave on the network. If a user is educated as to why their behavior is important with regards to security they will be better equipped to understand the need for restrictions, and as a result frustrations with certain limits will be eased. To put it simply: if you are conditioned to work within restrictions, and given understanding of why they exist, you are more likely to work the same way in future even if those restrictions are lifted.
So What Next?
As the human element will be an ever-present part of security policy, no one IT manager will ever be able to pinpoint with 100% conviction who has or has not shared passwords or committed a security breach. What’s more, the idea that the insider threat will continue to be a major security concern is prominent in our research.
Hinne Hettema, IT security team lead at the University of Auckland said: “[In the near future we will see] a non-existence of a boundary between the inside and outside of an organization…[it is vital] to therefore identify risky behavior from all employees and to be monitoring logon behaviour and access to various applications.”
Provided organizations concentrate on the issue of the ‘user error’ we still have hope that 2015 will not become known as ‘the year of the breach – part 2’.
About the Author
François Amigorena is founder and CEO of IS Decisions, a provider of infrastructure and security management software solutions for Microsoft Windows and Active Directory. Its customers, including the FBI, the United Nations and Barclays, rely on IS Decisions to prevent security breaches, ensure compliance with major regulations, such as SOX, FISMA and HIPAA, quickly respond to IT emergencies and gain time and cost-savings for IT.