Businesses continue to experience security incidents and data breaches despite significant investment in defensive security tools. There are many issues at play, but none so difficult to manage as that of human risk. Specifically, human error and poor decisions, the lack of adequate policies and procedures, and inadequate preparation against social engineering attacks, effectively undermine the technology investments businesses have made. Ensuring business survival in the current environment must include managing human risk factors as part of a comprehensive risk management strategy.
How Bad Is It?
In April 2011, RSA Security (a division of EMC) announced that it had suffered a major security breach. In its July 2011 earning call, EMC revealed that in the second quarter alone it had spent US$66m dealing with the aftermath. The root cause of this incident was a targeted attack against RSA personnel, which culminated in a user clicking on an infected email attachment. One user’s seemingly innocent actions led directly to a serious security incident, which in turn was used to attack major U.S. defense contractors.
More recently, a lapse in judgment by Apple customer support personnel led to a widely covered story in Wired about an identity theft incident. While no specific dollar figures have been discussed, the story certainly isn’t over yet, and one has to wonder about pending legal actions and settlements. Sadly, this is a story where adhering to existing policy could have stopped or limited the compromise.
The bottom line is this: No matter how much your business invests in security technologies, humans can always find a way – either intentionally or unintentionally - to undermine or bypass those measures, exposing your business to significant liability.
What's The Threat?
Enumerating all possible means by which human risk can undermine your business’s survival would be impossible, but there are three areas today that stand out as major risk factors.
BYOD (bring your own device): A popular trend in IT has been to allow users to bring their own devices into the corporate environment. At face, these policies seek to save businesses money while increasing user satisfaction. However, there can also be tremendous downside to these policies. How do you ensure that users aren’t bringing infected devices into your business, or walking out with all your sensitive data? Security tools can help manage this problem, but cannot prevent it entirely.
Passwords: One of the oldest and most faulty security tools in use today, businesses are increasingly burned by the persistent presence of passwords as a core protective measure. News of password database compromises has become almost a daily occurrence. Password reuse by humans amplifies these breaches, as one password breach often means the compromise of multiple accounts (e.g., the recent Dropbox spam incident was made worse by an employee reusing his work email and password on another site). Moreover, antiquated guidance on “password strength” (or “complexity”) causes users to game the system, further undermining its effectiveness. Where effective password policies are in place, they are also often undermined by automated password reset processes that rely on alternative passwords that are easily guessable and go against known good password practices.
Weak Adherence to Policies and Procedures: The Wired ID theft story provides a clear example of just how bad things can get when procedures aren’t followed. Having a policy framework in place can be an acceptable starting point, but it will do little good if humans aren’t motivated to conform to stipulated requirements. Additionally, policies that interfere with peoples’ ability to perform their assigned duties helps create a corporate culture that undermines the authority of its own written requirements.
This short list is merely the tip of the iceberg, but represents some common trends affecting businesses on a daily basis. Fortunately, there are simple steps that can be followed to help manage human risk factors.
What Can You Do?
The best way to manage human risk is to apply a two-pronged approach that seeks to proactively address weaknesses while leveraging standard resilience-oriented risk management practices. Businesses need to educate and train users about common threats, attacker tactics, and expected performance relative to following set policies and procedures, all in addition to deploying security tools and practices that will help the business detect and recover from various incidents. The following three steps are a useful starting point.
Operationalize Policies and Procedures: Traditional policies and procedures often end up ignored or undermined by corporate culture (people are far more likely to comply with policies they understand and that don’t interfere with their ability to perform assigned duties). It’s time to reform policies and procedures by putting them into actionable, easily understood language that is accessible to the applicable audience. For example, high-risk business functions should leverage detailed checklists where feasible to help reduce variance and to ensure that key risky behaviors are avoided. Deviation from set procedures must have consequences.
Enhance Education and Awareness Activities: Annual computer-based training on security policies is inadequate. Users must be continuously reminded of their responsibilities and of the very real consequences for bad decisions. Active training measures, such as anti-phishing awareness programs, should be deployed to keep these concerns in the forefront of peoples’ minds.
Evolve Beyond Basic Tools: Passwords, firewalls, and “secured” (SSL encrypted) browser connections are no longer adequate defense measures. Employees bring their own devices into your network, and can easily walk out with sensitive data. Passwords get reused on multiple sites, and password databases are compromised on a daily basis. Endpoints (e.g., phones, laptops) are easily compromised, negating the secure connection to your cloud service providers or VPNs. It’s imperative that basic security tools be upgraded, such as by adding a second authentication step or factor. Enhanced monitoring, detection, response, and containment capabilities must become primary security mechanisms. Anybody and everybody is a target, so assuming that security incidents will occur means planning for palatable failure modes and optimizing detection and recovery.
Ensuring business survival in the face of information security risks is not trivial, but shifting focus and practices to account for the ever-changing landscape can help heighten resilience. Broadening risk management practices to account for human risk is not only a good idea, but also an absolute must today. Addressing this concern means enlisting your employees as part of your security and risk management program, making it everyone’s job to ensure that the business can continue to function despite incidents, and to help minimize the frequency and severity of these inevitable events.
Contributed by Chris Caldwell, CEO of governance, risk and compliance software provider LockPath.