Shift in Security Focus – The People Problem (Part 2)

If you would like to be notified when Ricky & Monique Magalhaes releases the next part in this article series please sign up to our Real Time Article Update newsletter.

If you would like to read the first part in this article series please go to Shift in Security Focus – The People Problem (Part 1).

In part one of this series we addressed how people form a significant part of the organisation and subsequently introduce a security gap that is often overlooked or not given the focus necessary to bridge it effectively enough so that the improvement in an organisations security posture is best realised.


The Fast changing IT and cyber security environment readily allows for security gap formations that often go easily unnoticed. One of the gaps in security is heavily dependant on people as the problem, how people behave and how their identities and activities are monitored and managed. These people include employees as well as non-employees and third parties, those with malicious intent and those who make the organisation vulnerable through error and are unaware of the repercussions caused through their accidental actions.

Pinpointing security gaps becomes part and parcel of a security professional’s daily tasks. Time is spent on performing risk evaluations, planning and implementing polices, deploying defensive strategies and technologies and researching and endeavouring to be forthcoming for any future attacks – trying to prevent and destroy them in their wake.

This is all good, however while directing our focus to the same areas continuously we often miss essential gaps in our security. These gaps are overlooked, while believing we have all areas effectively covered our security posture remains virtually unchanged.

People representing the security gap is a growing concern for many and one that must be properly addressed.

To recap, the risk posed through people and the security challenges raised (addressed in part one of the article series) are as follows:

Security risk posed by people


Usual Motive


Security Policy should address

  • Employees (insider threat-malicious intent)
  • Employees (insider threat-non malicious)
  • Ignorance and lack of knowledge
  • Non-employees (outsider threat-malicious)
  • Third Parties


  • Deny service
  • steal information
  • change data
  • delete or damage data
  • sabotage
  •  Social engineering
  • IP spoofing
  • Hacking
  • Password theft
  • Malware, viruses etc.
  • Packet abuse
  • Email interception and spying
  • impersonation
  • Assets
  • Data
  • Hardware
  • People
  • Vulnerabilities
  • Business function

Table 1

Bridging the gap introduced by people, areas for consideration

In part one of this series we focused on the problem causes. Problems comprised lack of understanding, the growing number of identities and the challenge of guaranteeing the user behind these identities. Furthermore, personal devices and the multiple devices forming part of business function, insider, outsider and third party threats. All of these areas add to the challenge that people bring to security. These are the areas that need to be carefully considered and addressed to ensure the ‘people’ security gap is efficiently bridged.

Identities, behaviour and patterns

Identities form a large component of the challenge. It is essential that organisations are capable of recognising behaviour patterns and understanding identities (the faces behind the devices). Organisations must be able to identify changing behaviours so that they can distinguish between normal and abnormal behaviour and be able to identify an attacker over an employee going about daily duties.

It is imperative to have a detailed outline of each employee’s role within the organisation and be aware of how each employee behaves. Knowing how your employees behave would allow the organisation to pick up on any changes and make valuable connections to suspicious behaviour. This is made possible through tracking user activity. The end user is capable of introducing significant risk.

It is important to be able to identify suspicious behaviour and realise whether incidents being monitored are indicative of malicious activity and whether they validate a retort to prevent a breach from occurring.


A leading analyst has suggested that by 2020 there will be 25 million connected devices, this means that each person is likely to have up to three devices linked to them, increasing the threat surface extensively within organisations that allow utilisation of these devices (this is now commonplace). This is extremely challenging within a business environment where most organisations struggle to manage a comprehensive and robust security approach. This must be addressed if organisations are to stand any chance at bettering security and bridging the associated gaps.

The right tools, technologies and processes are essential. Analytics and threat intelligence is required so that identification, detection and monitoring of threats can be undertaken comprehensively and at speed.

Knowing which user is behind a given device and learning what is normal behaviour for a particular user is essential for effective monitoring of security.

Equip devices with the necessary software and protocols to make them secure (encryption and remote wipe etc.). Have appropriate plans in place for BYOD and police them

Insider threat and Outsider threat

We have noticed organisations seemingly choosing to protect against outsider threats above insider threats and believing that this is the threat that should be more of a concern. Both insider and outsider threats should be equally protected against. Once an outsider has gained access the threats may unfold in the same way an insider threat might. We can’t rely solely on physical defence, the threat brought about by people is one that is often linked to human vulnerabilities and it must be addressed as such.

Most of the time those employees or identities with most privileged access rights bring the highest risk. This risk is an insider risk. This risk can be reduced in a number of ways.

  • Utilisation of Identity and Access Management procedures, this is a great way to manage but many organisations continue to find this challenging, though it is important to get these basics right.
  • Abide by the least privilege approach and only give users the privileges that they require to undertake their business function (this is consistently highlighted as the best approach and should not be taken lightly)
  • Limit the amount of privileged users/identities, the fewer users you have with privileges the fewer potential risk areas for insider threat
  • Monitor privileged user’s identities to identify any changes in behaviour and thus be able to pick up on any suspicious behaviour that may be indicative of an occurring breach
  • Security monitoring tools should be able to take into account a combination of incidents over an extended time span to suggest behaviour outside of the norm
  • Identity should be central to security management so that a comprehensive understanding of security can be achieved. Understanding the identity and the user’s behaviour will make monitoring and understanding of events that much easier
  • Utilise tools and services that aim to reduce exposure of organisation to human error, these defences should be able to work within and outside of the organisation due to an increasingly mobile business environment

The changing way in which business functions is making it more challenging to pick up on behaviour inconsistencies as employees are increasingly working mobile, outside of the business constraints and outside of business operating hours. Thus location and time are not always a guaranteed cause for concern anymore. Additionally, accessing multiple documents and accounts is also becoming the norm for employees to undertake their duties.


Have the appropriate security controls in place to monitor and control access to spot activities outside of the norm. Many organisations have solutions that have a purpose for detecting certain activates. The problem is that a lot of the time with cyber security you are attacked by something or in a manner that you are not aware of, thus the organisation does not have the appropriate detection in place. Constant monitoring and detection for abnormalities, supported by data analytics is fundamental for uncovering evolving threats. Attentiveness is a vital preventative measure, anything out of the norm should be flagged and in order to do this the norm must be clarified and understood by all involved.

Procedure and policies

Develop and enforce policies and procedures so that all employees understand their roles and expectations are clear. An Insider Threat Best Practice Policy is an essential policy to have. Involve all departments with policy and procedure development, each department will have specific knowledge areas and it is essential to have a comprehensive understanding of the running of the organisation as and entirety, not only the IT department.

Education, knowledge and awareness

Educate and make employees aware, this is instrumental. Maintain communication throughout departments, ensuring comprehensive awareness is very important to reduce the vulnerabilities posed by people. On-going monitoring and staying abreast of training and new or changing threat vectors is important too. Lack of knowledge is a serious problem with regards to the threat posed by employees.

Clarification of security preparedness, having current protections in place, and how the organisation will respond is crucial. Mitigation of risk should be a priority.

Third parties and partners in business

Trusted partners are very important. Organisations don’t only require the best and up-to-date security technologies but also require partners that enable a healthy security posture. Partners must be reliable and transparent with regards to security needs and procedures and policies and must share in the security values of the organisations. Reputable partners and third parties is a must, always.


People will continue to be the greatest point of exposure and organisation must focus on user behaviour and identity to address this more effectively as tackling this correctly will allow organisations to better distinguish between real threat and no threat in a timely and efficient manner, reducing the occurrence of security breach.

By properly addressing the risk posed by people it makes it more challenging for the intruder to infiltrate the organisation undetected and detection technologies will be a more effective practice if the ‘people gap’ is addressed.

If you would like to be notified when Ricky & Monique Magalhaes releases the next part in this article series please sign up to our Real Time Article Update newsletter.

If you would like to read the first part in this article series please go to Shift in Security Focus – The People Problem (Part 1).

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top