||Employees are a company's greatest asset. Businesses say so emphatically. But sometimes those same employees are the ones who spark a data breach, albeit unwittingly, through careless actions - or lack of planning on the part of their bosses
It's generally acknowledged, with real passion and sincerity, that employees are a company's greatest asset. Indeed, without the know-how, dedication and commitment of the workforce, no organisation is going to be successful. And yet this is a double-edged sword - because, in the often dark underworld where security resides, those same people can also be its weakness.
"To combat this, organisations need to take a two-pronged approach to mitigating human error and ensuring security systems and protocols are up to scratch," says Rob Norris, director of enterprise and cyber security in EMEIA at Fujitsu. "Human error accounts for a large percentage of data breaches, whether that is falling victim to outside attacks exploiting the human interest factor or an inadvertent mistake.
"It is this type of 'shadow IT' activity that poses significant risk to an organisation's data, and highlights the crucial necessity for staff training and creating awareness of technology and how to use it. Unfortunately, controls do not stop everything, so employees should think when they receive emails: 'Was I expecting this? Who is it from? Is it trusted or not trusted? Have I received something like this from the company before?'
From a technical perspective, regulating what can be seen by whom, and from where, with strong role-based access controls and building different levels of access to different parts of the company's data is a good place to start, he argues. "This way, businesses can also monitor who is trying to access data that isn't relevant to them, highlighting their potentially malicious intentions, particularly if those logs are recorded in a central SIEM platform. Norris advises that organisations should also look to encrypt their data where possible and "perform regular vulnerability scans of their internal network to understand what vulnerabilities exist".
Wendy Nather, principal security strategist, Duo Security, argues that, in a real way, identity and access management (IAM) is the embodiment of how the business uses information technology. "It encompasses the stakeholders, the actors, their roles and even their values. The IAM system has to reflect and support all of these, so it's important to start by understanding them. This isn't easy. There are unwritten assumptions everywhere. Who owns the data and who is the steward? The answers determine who must give permission for access and what information they will rely upon to make those decisions. Who vouches for the identity of each person using the system, whether it's an employee, a partner, a student, a citizen or a customer?
"The issues get more complicated whenever one person plays multiple roles: for example, in the moment that a doctor becomes a patient herself, the identity and access rules change, because, under regulations such as HIPAA, the nature of her own data changes."
As a user base grows, the trend in IAM is to push out these business decisions as closely as possible to the key decision makers, not to keep them centralised in IT administration, she adds. "Self-enrolment and re-certification ease the friction for people who just want to make their purchases or get their work done. Federation can also reduce the burden, but, at some point, those data stewards who are legally responsible for its protection must still have the final say on access."
To increase your organisation's maturity in IAM, look to business process engineering, Nather advises, and make sure to involve legal, compliance, privacy and fraud department input. "The most mature IAM set-ups recognise that business rules change and the IAM system itself must remain agile to reflect that change."
Returning to education, any such programme needs more than tacit support by the board and must support policies that are seamlessly integrated into employee work patterns. "Boards have become cyber security savvy, but there's more to do," states Graham Mann, MD, Encode UK. "There are still too few board members, whether executive or non-executive, with sufficient knowledge of cyber security. This negatively impacts the bi-directional communication channels that are vital to ensure the successful organisation-wide implementation of a security strategy."