[BreachExchange] Fighting the War at Home: How Your Employees are Your Greatest Asset in the Battle Against Data Loss

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 17 18:54:49 EDT 2019


https://businesscomputingworld.co.uk/t/fighting-the-war-at-home-how-your-employees-are-your-greatest-asset-in-the-battle-against-data-loss/2611

Sun Tzu, once stated that: “The supreme art of war is to subdue the enemy
without fighting.” and two and a half thousand years later his rhetoric
stands the test of time, as today we are seeing this ancient ideal applied
in the most modern of battlegrounds: the fight against cyber-crime.

In recent years, more and more firms are realising the exponential threat
of a data breach within their organisation. The average cyber-attack costs
a business over $1mil, a figure that has made organisations sit up and take
note of the true ramifications of a malicious attack. However, businesses
also need prepare for data breaches that can occur as a result of
employees. While malicious attacks make up a significant portion of
incidents, breaches as a result of employees and the extended enterprise
make up 65% of all security incidents in the UK.

To tackle both the malicious and accidental threat, organisations should
have preventative technology in place, but the real key to mitigating the
damage of cyber-crime is to educate the workforce on the various dangers
they pose to their firm, be it accidentally sharing sensitive data, or
Ransomware attacks.

‘Know Thy Enemy’

As a starting point, employees should have a good understanding of the data
that is stored within the company and where they come into contact with
sensitive information in their own role. A well-trained employee should be
able to answer the three data-security questions, ‘What’, ‘Where’ and ‘Why’:

What data is of value to a potential hacker?
Where is this valuable data stored?
Why is this data so valuable, and why is it a potential target?

If an employee is capable of answering these three questions, they will be
much better equipped to resist any attempts by hackers to coerce this
information. They will likely question any request for this particular
data, would be suspicious of anyone attempting to access that part of the
data system, and will understand the potential value of this data, and the
need for its protection. Not only is this considered the more effective of
the two aspects of cyber-security training, it is also regarded as easier
to teach employees what they need to protect, than to teach them who they
need to protect it from.

‘Once More Unto the Breach, Dear Friends, Once More’

The ways in which a breach may occur, and the consequent warning signs may
vary from industry to industry, but there are a few frequently occurring
symptoms. The average worker may not notice a significant rise in outbound
traffic, but if trained correctly they may question the resulting slower
internet speeds. Furthermore, a trained employee would know to be
suspicious if they were suddenly locked out of their user accounts, or sent
an email asking for financial details. A trained eye may recognize these
warning signs, but to an average employee with no training in cyber
security, they may assume this is the result of network maintenance, or
their frustrating colleague Derrick who always moves files around the
system. However, recognising the breach is only part of the battle.

The most important part in responding to a breach is establishing a clear
line of communication to raise the alarm. It may be that employees will be
encouraged to report such threats to a supervisor with specialist training
in differentiating real breaches from accidents or false alarms.
Alternatively, employees may be instructed to simply pass on warning about
any possible breach directly to the IT department. The chain may vary from
firm to firm – but what is essential is that a solid protocol is
established and employees are educated on what to do in preparation for
such a threat.

‘Knowing The Rules of Engagement’

Most data losses are the result of accidental data leaks, but employees can
be trained easily to reduce this threat drastically. When an internal
breach occurs, employees are reluctant to blow the whistle on themselves,
often hiding the issue whilst they attempt to rectify it. In addition,
those who unknowingly facilitate an attack (be it through phishing, malware
or even social media), are usually reluctant to raise the alarm in fear of
punishment.

This is arguably one of the most common – and indeed, problematic – issues
surrounding data breach mitigation. As any cyber security specialist can
testify; the longer it takes to identify a threat, the more damage that
threat is capable of doing. Time is of the essence in dealing with
breaches, and if an employee is unwilling to come forward until the threat
is discovered, significant damage may have already been done.

To combat this, firms must reassure workers that they will not face
consequences for reporting accidental data loss and breaches. Firms must
hold their workforce to a certain standard of quality, but at the same time
one must remember that the highest priority is encouraging employees to
come forward, allowing the firm to address the breach itself as quickly as
possible.

‘Sometimes, You Have to Fight a Battle More Than Once to Win It’

Bear in mind that whilst training your workforce to a higher standard of
cyber security and adopting a supportive breach-reporting environment will
undoubtedly have a significant impact on the strength of your cyber
security, over time the standard of your workforce’s defence will degrade.
This is mainly as a result of changes in the operation of the firm, and
also in part due to human nature. Firms must remember that changes to data
storage, or new protocols on data sharing will require a refresher course
on the ‘three questions’, and be proactive about training staff about new
emerging tech which may present a new security risk that your workforce may
not be aware of.

Furthermore, firms must remember that humans are inherently fallible, and
that as time goes on without any problems, many workers will lose their
caution; a well-documented fallacy known as ‘Normalcy Bias’. In addition to
this, canny workers will often find workarounds to their training in the
pursuit of speed, ease and efficiency, therefore negating the effectiveness
of that layer of security. For all these reasons, it is essential that a
firm recognizes that training against cybersecurity is a continuous
process, with training sessions occurring frequently to make sure that all
staff are up to date.

‘Sic Vis Pacem, Para Bellum’

Staggeringly, although 70% of medium/large UK firms reported a significant
data breach during 2017, less than 50% have trained their workforce in
adapting to this new age threat. Clearly the need for a cyber-threat
educated workforce is greater than ever, although businesses must remember
that this is only one facet of a strong cyber defence. A truly strong cyber
defense should incorporate tiered security, with multiple layers of
defenses such as; a firewall, multi-factor authentication, an email
protection or redaction service, and of course, a well-educated workforce.
As the ever prescient Sun Tzu surmised, “The art of war teaches us to rely
not on the likelihood of the enemy’s not coming, but on our own readiness
to receive him.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190517/09548ed8/attachment.html>


More information about the BreachExchange mailing list