[BreachExchange] Mitigating internal risk: Three steps to educate employees

Tue Dec 20 19:49:12 EST 2016

https://www.helpnetsecurity.com/2016/12/20/mitigating-internal-risk/

IT security is usually focused on how to prevent outsiders with malicious
intent from causing harm to your IT systems and data. While this is a valid
concern, people within organizations who simply do not understand the
consequences of their everyday habits and behavior on company computers
pose an equivalent if not greater risk.

Every person within a company that has access to information is a gateway
for data exfiltration. This is why education for ALL employees that
encourages following best practices for IT security safety is extremely
important to implement within organizations. So where should you start?
Take 3 easy steps.

1. Awareness about the ways hackers get into your organization

The average computer user has most likely heard all the keywords – virus,
firewalls, malware, phishing, ransomware, insider threats – but what it all
means has to be explained at the basic level and the consequences need to
be emphasized. Of course, the biggest emphasis should be on how hackers can
use them to get access to company data. From experience, it’s always best
to use real-life examples.

Case in point: Recently, I worked with a university whose administration
staff received an email to their university emails to update their account
information and passwords. It was a phishing scam that provided the hackers
with multiple administrators’ passwords. When I further investigated the
issue alongside the IT security team, I realized people didn’t understand
that it’s not as easy as just changing your password again and that it’s
not someone manually digging through their information.

The department put forward an initiative to explain how phishing scams work
and that the consequences are someone has all the data you had access to –
including people’s personal data. In particular, most likely due to the
high success rate of the hackers the first time, this university’s
administration team was targeted multiple times afterwards. The hackers,
however, failed to extract any additional information due to the
administration’s teams new set of knowledge who reported each phishing
e-mail afterwards and started a university wide alert every time they
received a suspicious e-mail.

2. Constant reminders to change people’s bad habits

When employees first start it’s important to give them a list of the top 10
rules they should follow regarding IT practices. If you know the rules that
are violated the most, it’s suggested that those should make the top of
your list. If you don’t then a good way to find out is to use monitoring
techniques that will help you to collect this data. There’s a high chance
you’ll be surprised by the type of rules people violate. Some examples of
no-no’s can include attaching company files to personal e-mails, putting
data on non-encrypted USBs, uploading files to cloud drives etc. Yearly
training and reminding sessions should also be implemented as a part of
company strategy.

One of the most effective tactics is to inform users that they are
violating policies while they’re attempting to take the action. This
approach is extremely important for organizations who do not block
particular actions because it can interfere with everyday tasks. For
example, if someone in the customer chat department was to send a file via
instant messenger, your IT team could set up a technology interface or
leverage solutions that automatically alert the violating staff member –
with a message saying that the action is not recommended.

Based on my own research with practitioners, in 72% of cases this was found
to be enough to deter the user from completing the action. Furthermore, my
research showed that 57% of actions that were going to be taken, could have
led to data exfiltration.

3. Lead by example

Management can scare employees into following company policies but
sometimes they don’t scare themselves enough. I’ve come across hundreds of
companies where statistics show that management violates more IT policies
than the average employee.

The issue here is, if a manager violates a company policy while interacting
with their employee, there’s a higher chance that the employee will engage
in the same activity at some point at their time with the company. It’s
also important for management to dig into why they’re violating the
policies. If it’s because they’re lazy then their behavior simply has to be
changed. If it’s because it’s making it hard for them to do their job – the
rule has to be evaluated. Is it making it hard for those under management
to do their job as well? Employees will find ways to circumvent policies if
they’re inconvenient.

Showing employees that their concerns are a part of the IT security
strategy is important because it diminishes the feeling that the policies
are implemented to restrict them. In my experience, companies that were
able to reduce violations by their management by 10%, were able to reduce
their overall company violations by 27% in just three months.

Ultimately your organization is only as strong as your weakest link – and
your weakest link may be someone that simply didn’t know not to click,
send, download etc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161220/45538381/attachment.html>