A chain is only as strong as its weakest link. In an enterprise environment, it is often human errors that create the biggest risks. This fact is corroborated by many studies, and more than those, by many outages and episodes. Whether it is ignorance or wilful data theft, the risk that enterprises face from employees and disgruntled ex-employees is as big as (if not bigger than) external cyber threats or APTs. While ignorance has only one reprieve- training and policy enforcement, deliberate thefts can be more difficult to handle, and will need tools as well as stronger security infrastructure tools in place.
In January 2015, P&G USA filed a suit against 4 Gillette employees, for stealing and sharing corporate information with direct competitors. This is a classic case of people risks with sensitive corporate information. In another recent report on a study by Ponemon Institute, employee negligence was identified as the top threat for information security in healthcare organisations. How do CISOs identify a high risk behaviour employee? Also, how do IT organisations fight ignorance and negligence in employees to secure data, to the maximum possible lengths?
Here are some ideas on how to do it…
1. Identify careless employees, increase risk awareness- Tighten up Policies
Simple carelessness on the part of an employee-like forgetting to close a portal when not using it, using weak passwords, allowing unauthorised access to information and the most common- forgetting a mobile in a cab- can cost a company millions in terms of revenue. It can also turn back years of hard work for a market reputation or creation of strategy.
The only solution is constant training and creation of awareness about the risk careless behaviour can carry. Making compliance stronger and more strictly enforceable could help here. Creating clear policies of what is mandatory, at any cost, also helps. Once clear cut guidelines are in place, screening is easier and even re-screening isn’t such a cumbersome task any more.
All access levels need to be defined, especially for business critical systems and data. Strong encryption tools need to be in place, and authentication needs to be a non-compromiseable exercise. Unwanted devices, sites and applications usage needs to be regulated as well. Constant training needs to be in place for cyber security awareness, so employee understand the impact of even a single wrong click that opens a malware laden site. Opening unauthenticated sites, sharing passwords, carrying sensitive information in an unencrypted form- everything needs to be regulated, and the employees made aware of the risk- over and over again!
2. Mobility Led Risks- The rights tools in place
While enterprise mobility cannot be avoided in almost all enterprises, it is one of the highest reasons of data theft and loss. Studies indicate that almost 68% of all global organisations have faced a security threat from employee owned mobile devices.
Every enterprise needs to have tools in place to prevent this risk from blowing into a full outage. Again, a clearly defined BYOD policy is a critical part of this plan. Monitoring personal owned devices, encrypting data before access, are some processes that should be strictly enforced. Security solutions for isolating corporate data and encrypting it are available, and should be used.
3. Disgruntled employees- screening and rescreening would help
While employee background screening is almost mandatory for every organisation, sometime it is just not enough. In many cases, crucial facts about an employee can be missed. In addition, a dissatisfied or frustrated employee is also a threat- and specially one who knows it will be easy to walk away without anyone identifying him or her as the cause of a breach. They will have the satisfaction of causing harm to the company!
For this kind of attitude, a single screening while hiring may not be enough- follow up screenings and re-screening is required. Companies that do not insist on rescreening at regular intervals, expose themselves to threats of all kinds. Having a regular follow up on every employee’s background is an exercise that could probably detect a malignant element in the people strength of the company, which could be the fore-alarm, needed to step up security or deal with it right away.
4. Train and Update- Constantly
There are innovations in tools as well as applications for IT security, as with other technologies, on a rapidly growing basis. Every single threat is another step up for data on risk, and every time this should be documented and shared.
Every enterprise should keep abreast of these innovations, and ensure all employees are trained on a constant basis. By maintaining an updated list of risky behaviour, and the circumstances that lead to a breach, a training manual can be created. Employees need to be regularly trained for what to be cautious about and how to handle a threat. Clearly articulating the ground rules and elaborating on the consequences of the situation will certainly create a culture of security awareness in any enterprise.
While constantly evolving security technologies are creating updated tools to fight IT security, the single wrong action of an employee can undo the best of guards and checks. Every enterprise needs updated information on these tools, and needs to ensure every employee knows how to NOT be a risk. The education, training and awareness about risky behaviour are essential.
Also essential is the policy to make this awareness mandatory, these rules completely enforceable and the training a part of the corporate culture. While technology and tools can provide the ammunition to prevent breaches, the human element needs enterprise focus as well!