Dyman & Associates Risk Management Projects: The Weakest Link in Security?
Hardly a day goes by without news of another data breach. It's safe to say that we live and work in risky times. But there's a growing recognition that cybercriminals aren't the only threat—or even the primary threat to an enterprise. "There's a far greater need to educate and train employees about security issues and put controls and monitoring in place to increase the odds of compliance," says John Hunt, a principal in information security at consulting firm PwC.
It's a task that's easier said than done, particularly in an era of BYOD, consumer technology and personal clouds. According to Jonathan Gossels, president and CEO of security firm SystemsExperts, it's critical to construct policies and security protections around two basic areas: malicious insiders and those who inadvertently breach security. "The best security program in the world can be undermined by ill-advised behavior," Gossels explains.
Construct effective policies. Surveys indicate that many workers are not adhering to existing policies. In some cases, they simply disregard them. "The thing that you have to keep in mind," notes Hunt, "is that policies must be clear, understandable and not interfere with the ability of people to get their work done." If an organization is struggling with non-compliance and shadow IT, then it may be time to reexamine policies, as well as the underlying systems and tools the enterprise has in place. "Many organizations have older policies that don't take into account today's tech tools, such as iPads and other portable devices," says Hunt. The policies should also extend to contract workers and freelancers, he notes.
Educate and train employees. One of the biggest problems, says Gossels, is weak passwords and workers sharing passwords. He recommends educating employees about the use of strong passwords. It's also essential to teach employees about increasingly sophisticated phishing techniques. And executives, including CEOs, make the mistake of clicking bad links. "When you receive an e-mail from the Better Business Bureau or a fax that looks legitimate, it's very easy in the rush of the moment to click it," says Gossels. It's critical that employees learn to hover over links. Some organizations also use simulated phishing and spear phishing attacks to identify careless workers. Finally, employees must understand the risks of using personal clouds, USB drives, and other media to share and store sensitive data.
Develop controls that match policies. It's one thing to introduce a collection of security policies, it's another to build controls that effectively enforce them. According to Gossels, any time an organization introduces a policy, it should also consider how to build in technical controls, preferably automated ones. "The less you leave things to humans and chance, the better off you will be," he says. That means using mobile device management and media asset management tools, two-step verification, encryption, endpoint security, and other security measures. It also means looking for so-called low and slow approaches that frequently fly below the radar. But, more than anything else, it means mapping threats to policies and security systems—and ensuring that tools are in place to wipe lost or stolen smartphones and tablets, when necessary. Hunt adds that it's crucial to consider, when adopting policies, how long it will take to build the matching controls. He sees often companies lagging by nine to 12 months—or more.
Monitor activity and access from all endpoints. There's a growing focus on monitoring the network and endpoints for unusual activity and odd behavior, Hunt explains. "If you detect activity that doesn't fit the norm of a person's role, then it's a good idea to take a closer look at the situation," he points out. In fact, even if an organization embeds role-based policies and controls in its IT systems—something that's generally viewed as a best practice—it's wise to monitor activity and look for anomalies. Networks and systems are particularly vulnerable during mergers and acquisitions and during transitions to different or new systems.