<div dir="ltr"><a href="http://www.scmagazineuk.com/organisation-know-thy-employees-to-detect-and-mitigate-security-risks/article/483350/">http://www.scmagazineuk.com/organisation-know-thy-employees-to-detect-and-mitigate-security-risks/article/483350/</a><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br><p>According to the UK Government Communications Headquarters, the scale
and rate of cyber-attacks shows little sign of slowing down. In a 2014
report, the Department of Business Innovation and Skills (BIS) reported
81 percent of large organisations had experienced some type of security
breach. </p>
<p>Additionally, the survey (BIS 2014 Information Security Breaches
Survey) reported these breaches cost each organisation, on average,
between £600,000 and £1.5 million.</p>
<p style="background:white none repeat scroll 0% 0%;margin:0in 0in 0pt">In sum, organisations
need to employ a variety of strategies and tactics to protect their
data and ultimately their bottom lines from common security attacks. One
of the easiest and most overlooked steps in managing and controlling
the “danger” within organisations is - employees.</p>
<p style="background:white none repeat scroll 0% 0%;margin:0in 0in 0pt"> </p>
<p style="background:white none repeat scroll 0% 0%;margin:0in 0in 0pt">The reality is that
employees don't need a criminal mindset to pose a real threat to the
companies for which they work. In the world of cyber-attacks, apathy and
ignorance are close cousins to the nefarious disgruntled former or
current employee who has an axe to grind.</p>
<p style="background:white none repeat scroll 0% 0%;margin:0in 0in 0pt"> </p>
<p style="background:white none repeat scroll 0% 0%;margin:0in 0in 0pt">With this in mind,
organisations need to be extremely cautious and meticulous about
assigning user privileges. The general rule of thumb is access on an “as
needed” basis, which in practice limits user privileges to the ones
employees need to perform their jobs. Additional monitoring is necessary
to oversee user activity, particularly as it relates to classified or
personal information.</p>
<p style="background:white none repeat scroll 0% 0%;margin:0in 0in 0pt"> </p>Another way to determine best practices around access privileges is
gaining a better understanding of the various types of employees who
“reside” in most organisations. As a security team, your focuses are on
role-based access, segregation of duties, and making sure the right
people have the right access to the right things at the right time. But
what about the employees within other functions who often fly under the
radar? In many instances, these employees are the ones, sometimes
unwittingly, exposing their organisations to uncommon risks.
<p>Here is a look into those employees and how security teams can mitigate their risks. </p>
<p><b>Curiosity killed security </b></p>
<p>In today's high-tech, Bring Your Own Device workforce, most
organisations have a group of employees who fall into the “contemporary
creative” category. While curious about the latest technology, these
employees often look for creative ways to problem solve which, in many
cases, can lead to taking shortcuts on security. </p>
<p>While these employees don't intentionally set out to open the doors
to cyber-attacks, they open their organisations' networks to data
breaches by bending the rules and using unapproved new technology.</p>
<p>The security team must set clear parameters and rules around what devices can and cannot be connected to the networks. </p>
<p><b>Disgruntled and dangerous</b></p>
<p>Businesses large and small need to be on the lookout for employees
who have access to highly sensitive information who are on the way out.
These employees often take proprietary information and hoard it before
leaving their employers. Once they have this information, disgruntled
employees can either turn it over to a competitor or simply release it
to breach security protocol.</p>
<p>To <a href="http://www.scmagazineuk.com/cyber-security-assurance-earns-c-grade-in-new-study/article/454557/">mitigate the risks</a>
associated with this group, IT and security teams must have the right
visibility into processes to see when employees are downloading critical
information that is outside of their roles. Look for accounts with
privileged access and closely monitor all activities.</p>
<p><b>New kid on the network</b></p>
<p> Interns have an important role in the growth of many organisations
and often provide long lasting benefits to companies as permanent,
full-time employees. Depending on the team and executive they support,
interns may need to access certain applications and high-level
information.</p>
<p>For interns, ignorance may truly be bliss. Without proper training,
they will not understand the risks they pose to the system. Furthermore,
as a temporary member of the staff, IT teams may not recognise their
termination and, to that end, not take the proper steps to cut off their
access.</p>
<p>Interns need the same level of training to enforce the importance of
being security-minded and knowing the risks they pose to the system.
Security teams also need to keep track of internship end dates to ensure
access is cut off in accordance with the work term. </p>
<p><b>An apathetic approach</b></p>Apathetic team members aren't necessarily criminally minded. They
are, however, too lazy and unconcerned to learn important security
policies or new systems to help keep themselves and their organisations
safe.
<p>By using easy passwords, not keeping them secure, and not changing
them often enough, the apathetic employee makes it easier for the real
bad guys to penetrate networks and access important data. Furthermore,
apathetic approvers may grant access without asking questions.</p>
<p>Intensive training, including in the onboarding process, is one of
the key components to safeguard your networks against this type of
apathy. IT teams must educate these employees on all security protocols
and make sure they understand the importance of being a security-minded
culture. Ongoing processes, such as implementing automatic password
updates, security updates and news, and regular mandatory training
programmes, also help turn apathetic employees into educated ones –
greatly minimising risks and building a more participatory workforce.</p><br></div></div></div></div></div></div></div></div></div>
</div>