If you would like to read the next part in this article series please go to Shift in Security Focus – The People Problem (Part 2).
People form a significant part of the organisation. Individuals plan, decide, devise and implement the ways in which to secure the IT environments. People are often behind cyber security threats. People allow, sometimes purposefully and sometimes not, the breaches to occur. People determine how to recover from these breaches. The list goes on and on.
The significance of people is often underplayed; regardless, people continue to contribute to the gaps in our security posture- they continue to be the weakest link. This is a security gap that is often overlooked by many organisations and it is not given the attention it duly requires. It is an area that must obtain significant focus, especially as cybercrime continues to rise.
In this two-part article we will focus on people as the security gap and ways in which this can be addressed within the organisation to enhance the security posture. The first instalment will focus on the problem.
Introduction
We often find that we quickly fall into a security rut, where all our focus, efforts and funds are placed on the same security disciplines and measures with each security review and by focusing on these already strengthened areas we are not realising the level of improvement in security equitable to the efforts put in. These already strong areas leave little room for improvement and thus we find that our extensive efforts as well as budgets (a lot of the time) do not appear to improve our security posture by very much. Furthermore, the fast changing IT and cyber security environment readily allows for security gap formations that often go easily unnoticed.
A lot of focus is placed on data, devices, getting the hardware and software security disciplines right, layers of defence and being responsive and this is greatly important and necessary but many organisations fail to give much thought to a very substantial part of every organisation – the people (and there many identities).
The people within the organisation and outside of the organisation, for that matter. People contribute a gaping hole in security in many ways, and no software or hardware solution can comprehensively fix this. People contribute significantly to an organisations security posture and by directing focus to the people and the potential gaps that they cause in security, the organisation can go a long way to achieving a more secure environment.
People, the security gap
People are unfortunately the weakest link in cybersecurity. Research has shown that errors brought about through people account for at least 95% of all security incidents. These challengers must be addressed in order to improve the security posture. Contributing factors include, lack of knowledge, personal devices, identity, insider threat and outsider threat, third party threats – all heavily reliant on people. The risks brought about by people continue to develop and expand.
Lack of knowledge and understanding
Although many organisations insist on employee training and communicate the cybersecurity risks with employees, they remain deficient in the importance of this knowledge and don’t, a lot of the time, have the capacity for a comprehensive understanding of all the risks involved and the consequences or repercussions thereof.
Employees are not as attentive to these potential risks albeit the risks are major and require every employee to remain engaged and focused all of the time to avoid them. The scope of risks employees must consider continue to surmount and it becomes challenging to keep everyone on top of all of them consistently especially since not all employees are technically inclined. It takes one slip up, one human error, for infiltration to occur.
The threat from an employee without malicious intent and due to ignorance is usually with no motive but purely accidental, however although the damage is accidental the damage caused is very much a real issue with real consequences.
It is important that employees are made aware that ways exist whereby information can be leaked without purpose and that this should be prevented. One area may be social media as well as through social engineering.
Personal devices
Businesses are increasingly allowing employees to utilise personal devices for business function. These devices are controlled by the employees mostly and not by the business, yet they form part of the business network.
These devices, as part of the BYOD movement, in the hands of a less knowledgeable employee can pose a security risk. The employees need to ensure that their devices are managed appropriately and that the necessary policies are followed to ensure security and integrity is always upheld.
It is not only the devices but rather the people utilising them that should be carefully considered. Focus is often placed on the devices alone as the security issue but the people utilising them form a large part of this challenge.
Identity
Employees of organisations may have multiple identities for various business functions. Attackers can assume these identities to infiltrate an organisation and can also abuse insider privileges once inside. This occurs often with the organisation unaware.
A good comprehension of identity is vital for the organisation to properly manage these identities and be able to detect and respond to any identity threat.
With the IT environment continuing to develop into environments with blurred boundaries and ones with no fixed perimeter present, it is fundamental that identities within security are properly addressed.
It is essential that the organisation is able to always guarantee that the correct individual is behind any given device and whether the behaviour is normal or not.
Insider threat
The insider threat can be malicious as well as not, the latter usually occurs due to poor security policies and poor management or controls which allows human error to occur and vulnerabilities to be exposed. Employee and user knowledge plays a part in this too. Malicious activity can occur because an employee is resentful or for sabotage purposes.
A daunting scenario for any organisation to comprehend is malicious insider threats. Organisation rely on people for the functioning of everyday business, this requires a great level of dependency and trust on many people. When this trust is undermined, businesses can find themselves in a very vulnerable situation. Insider threat is likely to be one of the most damaging threats to occur.
The insider threat brought about by employees working within the business are purposeful actions and with criminal intent. Employees have access to all the necessary information, security practices, passwords, access to systems, etc. to undertake a variety of activities to cause a great deal of damage.
Most organisations agree that this is a valid concern and it is important to any organisation to be able to trust their employees, nevertheless the insider threat is prevalent and organisations must be able to protect their business, data, assets and reputation from this type of threat.
Organisations must be able to predict how people are likely to behave so that anything out of the ordinary can be picked up early on and any malicious activity duly averted.
Outsider threat
The outsider threat comes from outside of the organisation (a non-employee) but a lot of the time employees are tricked into allowing the attacker in. Social media is also aiding attackers in obtaining the information necessary for infiltration into organisations and most of the time employees are distributing this information over social media without realising the repercussion and without intending to cause any harm.
The attacker will attempt to gain access using all means possible (exploiting known vulnerabilities, social engineering, network spoofing, gaining passwords and intrusion) with a goal and motive in mind which is malicious and damaging to the organisation.
Third party threat
Third party vendors and outsourcing also increases the potential security risk. The larger the supply chain the more people involved and the higher the risk posed and expanse for vulnerability, if not managed correctly. Many organisations are engaging with third parties and outsourcing functionality and this is something that must be carefully considered and managed correctly.
Conclusion
It is important that we find the areas being overlooked and shift security focus to these areas. By addressing these gaps a greater improvement in our security posture will be visible and achievable. The gap people introduce to security, regularly unnoticed, requires some necessary attention.
The growth of social media and diverse computing environments is aiding the attacker and is making this vector of attack, through the employee, easier to accomplish and less labour intensive, making people the more effective means to penetrate the organisation over alternate vectors. This is something that must be addressed by organisations.
In part two of the article we will consider some ways to help address the people challenges mentioned above.
If you would like to read the next part in this article series please go to Shift in Security Focus – The People Problem (Part 2).
