[BreachExchange] Organisation: Know thy employees to detect and mitigate security risks

[Inga Goddijn]

http://www.scmagazineuk.com/organisation-know-thy-employees-to-detect-and-mitigate-security-risks/article/483350/

According to the UK Government Communications Headquarters, the scale and
rate of cyber-attacks shows little sign of slowing down. In a 2014 report,
the Department of Business Innovation and Skills (BIS) reported 81 percent
of large organisations had experienced some type of security breach.

Additionally, the survey (BIS 2014 Information Security Breaches Survey)
reported these breaches cost each organisation, on average, between
£600,000 and £1.5 million.

In sum, organisations need to employ a variety of strategies and tactics to
protect their data and ultimately their bottom lines from common security
attacks. One of the easiest and most overlooked steps in managing and
controlling the “danger” within organisations is - employees.



The reality is that employees don't need a criminal mindset to pose a real
threat to the companies for which they work. In the world of cyber-attacks,
apathy and ignorance are close cousins to the nefarious disgruntled former
or current employee who has an axe to grind.



With this in mind, organisations need to be extremely cautious and
meticulous about assigning user privileges. The general rule of thumb is
access on an “as needed” basis, which in practice limits user privileges to
the ones employees need to perform their jobs. Additional monitoring is
necessary to oversee user activity, particularly as it relates to
classified or personal information.


Another way to determine best practices around access privileges is gaining
a better understanding of the various types of employees who “reside” in
most organisations. As a security team, your focuses are on role-based
access, segregation of duties, and making sure the right people have the
right access to the right things at the right time. But what about the
employees within other functions who often fly under the radar? In many
instances, these employees are the ones, sometimes unwittingly, exposing
their organisations to uncommon risks.

Here is a look into those employees and how security teams can mitigate
their risks.

*Curiosity killed security *

In today's high-tech, Bring Your Own Device workforce, most organisations
have a group of employees who fall into the “contemporary creative”
category. While curious about the latest technology, these employees often
look for creative ways to problem solve which, in many cases, can lead to
taking shortcuts on security.

While these employees don't intentionally set out to open the doors to
cyber-attacks, they open their organisations' networks to data breaches by
bending the rules and using unapproved new technology.

The security team must set clear parameters and rules around what devices
can and cannot be connected to the networks.

*Disgruntled and dangerous*

Businesses large and small need to be on the lookout for employees who have
access to highly sensitive information who are on the way out. These
employees often take proprietary information and hoard it before leaving
their employers. Once they have this information, disgruntled employees can
either turn it over to a competitor or simply release it to breach security
protocol.

To mitigate the risks
<http://www.scmagazineuk.com/cyber-security-assurance-earns-c-grade-in-new-study/article/454557/>
associated with this group, IT and security teams must have the right
visibility into processes to see when employees are downloading critical
information that is outside of their roles. Look for accounts with
privileged access and closely monitor all activities.

*New kid on the network*

Interns have an important role in the growth of many organisations and
often provide long lasting benefits to companies as permanent, full-time
employees. Depending on the team and executive they support, interns may
need to access certain applications and high-level information.

For interns, ignorance may truly be bliss. Without proper training, they
will not understand the risks they pose to the system. Furthermore, as a
temporary member of the staff, IT teams may not recognise their termination
and, to that end, not take the proper steps to cut off their access.

Interns need the same level of training to enforce the importance of being
security-minded and knowing the risks they pose to the system. Security
teams also need to keep track of internship end dates to ensure access is
cut off in accordance with the work term.

*An apathetic approach*
Apathetic team members aren't necessarily criminally minded. They are,
however, too lazy and unconcerned to learn important security policies or
new systems to help keep themselves and their organisations safe.

By using easy passwords, not keeping them secure, and not changing them
often enough, the apathetic employee makes it easier for the real bad guys
to penetrate networks and access important data. Furthermore, apathetic
approvers may grant access without asking questions.

Intensive training, including in the onboarding process, is one of the key
components to safeguard your networks against this type of apathy. IT teams
must educate these employees on all security protocols and make sure they
understand the importance of being a security-minded culture. Ongoing
processes, such as implementing automatic password updates, security
updates and news, and regular mandatory training programmes, also help turn
apathetic employees into educated ones – greatly minimising risks and
building a more participatory workforce.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160406/05f9ed17/attachment.html>