Though many in IT focus on external threats, I believe that the ‘enemy within’ may be just as damaging. Addressing the human element, both malicious and unintentional, may generate some of the greatest returns on security investment.
Counter to conventional wisdom, the majority of breaches are not due to malicious intent. According to Ponemon, 52% are in fact due to human error or process failure. And this is not going to go away anytime fast based on reports of too few trained in cybersecurity as well as the ever-present budget issues. In fact, as traditional attacks on networks and servers have decreased, those targeting users and their devices have increased per the 2016 Verizon Data Breach Investigations Report.
So, what are we seeing today? How can the CISO and his or her team close this gap?
On the user training front, there are two levels required. The company must drill all employees in the risks of phishing attacks, social media, malicious websites, and overall security hygiene. And I do mean drill, just like the military, which does this for a reason. It works. Re-allocate tasks, conduct unannounced tests, and maintain constant vigilance. Just don’t become complacent.
1. Prevent phishing attacks
As many as 85% of enterprises have been the subject of attack, 30% of phishing emails get opened. It only takes a single success to create a whole lot of havoc, and the average cost of attack is at least $1.6 million. Strong email filtering is the first line of defense, since by the time it gets to the distracted end-user, the battle may be lost. Here, user awareness and training from the likes of Phishme and others are key.
A smaller company may think it doesn’t have the budget for these types of tools, but the potential cost of an attack is much worse, and in fact they could be at greater risk due to closer ties between their CEO and employees. The request for employee W-2s or other closely held information would not seem out of line.
2. Understand the risks of social media.
The use of social media presents special problems, since it is not only the corporate account that must be secured, but employees more and more share their work experiences on their personal accounts. It is the corporate account that isn’t at risk here, since this is usually maintained by those with the proper background and skill set. However, if an employee is privy to confidential information, or is at a sufficient level in the organization to be of external influence, his or her social sites must be monitored by any one of a number of third-parties such as Zerofox.
Social risk may in fact tie to phishing, where the attacker researches the company via social media to build a dossier used to impersonate a CEO or other C-level executive. The more material on social media, the more convincing the attack. Glassdoor also presents risks since it is unmoderated and disgruntled former employees are more likely to post confidential information.
3. Minimize exposure to malicious websites.
Malicious websites also present a problem, since much of the interaction is hid from the user. When presented with a waterfall chart of what goes on behind the scenes of a typical webpage download, with upwards of 100 separate sites accessed, the average user is astounded. But the threat is real, with 46% of the top million websites exhibiting risky behavior according to a Menlo Security study. The first link on a site may be innocuous, but the second may do you in!
Since not many enterprises lockdown browsing CNN during lunch breaks, real protection loops back to user training, not clicking unknown sites (or any third-party sites at all while at work), and if in more critical lines of business, mandating the installation of ‘safe’ browsing add-ins and whitelists that cannot be deactivated by the user.
4. Practice overall security hygiene.
Overall security hygiene may be as simple of enforcing password discipline, and more. In the absence of controls, people are just plain sloppy. A recent Ixia security report identified root, admin,ubnt,support, and user as the top five passwords that hackers guess. They do this because all too many systems use these. But password discipline must take different forms.
Mark Ford, a cyber risk services leader from Delotte & Touche describes a case where a physician’s laptop containing Personal Healthcare Information, subject to HIPAA, was stolen from his house. The laptop was encrypted, but the password was written on a sticky note attached to the device. Here, it didn’t really matter the complexity of the password (and one must assume that it was in fact hard to remember, if written down).
Though not every company will have the resources for SOC2 or even to deploy two-factor authentication or single sign-on, they should begin to move in this direction. Part of it will of course depend on whether IT is core or ancillary to their business, but at the end of the day, if a customer’s credit card information, or worse, is compromised, an ounce of prevention goes a long way.
What additional risk do employees pose when responsible for the enterprise’s infrastructure, either on-premises or in the cloud? This is the second level of training, which must be structured and tested. If the enterprise, for example, subscribes to a SaaS CRM or cloud document service, they should have a procedure in place to determine the security posture of this offering, as well as how to integrate it with their business and provide any required audits.
Or, if deploying applications on Google Cloud Platform IaaS, they must fully understand the shared responsibility model and lock down their components. Formalized third-party training and any required certifications shouldn’t be an afterthought, and if the enterprise doesn’t have a CISO, a designated individual with the same level of experience and more importantly, authority, should be assigned.
Still, the enterprise may implement best practices, train and retrain its employees, and prepare for the worst, but a breach may occur. How does it protect its infrastructure if something falls through the cracks? Here is where automation comes into play, as a backstop to the human element.
Instead of snapshots, which lose accuracy with each minute, and are less effective for cloud deployments, virtualization, and now containers, the enterprise must continually verify its security posture against a known baseline. This is continuous security, reducing the threat of breaches and with this, overall fear and distraction. No matter that an employee may be sloppy with passwords, smartphone security, deleting old but confidential files, or the like, the system will ensure that the infrastructure is aligned with CIS, NIST, PCI, HIPAA, and other benchmarks.
There is no excuse why the enterprise should not be in continuous compliance with regards to the latest security and regulatory benchmarks, and with all the tools at IT’s disposal, the enterprise shouldn’t be subject to ‘friendly fire’ from the enemy within.