Why you are probably an accidental hacker

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123459476/why-you-are-probably-accidental-hacker

We’re an ingenious species, able to think laterally to solve the most
complex of problems. Yet that tenacity is often at odds with working
practices.

In the modern enterprise, staff are encouraged to be adaptive and
innovative, to come up with creative solutions and work flexibly, only to
then find they are constrained by process and shackled by security.

Do you bend the rules to get the job done or do it by the book and risk
losing time or business? Neither is a pleasant prospect.

As employers, we like to think greater awareness over the potential fallout
of data loss and better education on data handling are seeing this
situation improve.

But the truth is that data breach statistics have shown little change over
recent years, with the number of incidents reported to the Information
Commissioner’s Office (ICO) topping the 400 mark every quarter.

The vast majority of these are down to a breach of Principle 7 of the Data
Protection Act (DPA), which states ‘appropriate technical and
organisational measures shall be taken against unauthorised or unlawful
processing of personal data and against accidental loss or destruction of,
or damage to, personal data’.

In other words, a mix of controls should be in place that make it very hard
for the user to inadvertently disclose data.

Of the 459 data breach incidents reported to the ICO in the fourth quarter
of 2014 (disclosed in 28 April 2015), 102 were down to loss or theft of
paperwork, with another 88 down to other Principal 7 failures to protect
data.

Data inadvertently posted, faxed or emailed accounted for another 127
cases. Failure to redact or censor data was placed at 23 cases. There were
ten cases where insecure disposal of paperwork were to blame, five
instances were data that shouldn’t have been was uploaded to a website, and
two cases of verbal disclosure.

In fact, only 34 of the cases were said to be contraventions of Principals
1-6 or 8 of the DPA, indicating that 93% of cases were attributable to user
error.

What we’re seeing – contrary to security industry preoccupations – aren’t
data losses caused by industrial espionage but data compromise brought
about by staff, either inadvertently or by sidestepping existing process.

But before we vilify these staff for their actions, however, spare a
thought for their motivation. If a hacker is someone who deliberately
circumvents existing controls, then the chances are we have all been
accidental hackers at some stage.

If security controls are not proportionate they can be overly restrictive
and permissive, which can encourage users to sidestep these controls to get
the job done.

Clearly, there will be some instances where the business hasn’t got its
house in order but that fails to explain the consistency of these figures,
which indicate we are failing to keep pace with innovation and failing our
staff in the process.

This isn’t just a theory; it’s a practice that has led to the coinage of a
whole new term – shadow IT – or the use of technology within the business
outside the IT department, often without their knowledge.

Shadow IT ranges individual users deciding to use unapproved services, such
as social media or collaborative file sharing (Yammer, Dropbox etc), to
whole departments sanctioning and even investing in technologies without
the approval of the CTO. What they both have in common is they come under
the radar and are therefore incredibly difficult to police.

Businesses and the IT department are going to have to adapt to these new
ways of working, which ultimately have the power to confer greater
competitive advantage.

Organisations need to re-engine its processes and controls and make them
work better for users, so that security is adaptive to the user. Sensitive
data needs to be classified, and protected, with role-based access used to
limit exposure.

The data lifecycle needs to be mapped to ensure controlled use from
creation to destruction. There need to be clear procedures in place for
evaluating and securing new systems and working practices, with a top-down
approach to ensure the left arm knows what the right is doing.

Changing the way a business operates is a daunting prospect, so it’s best
addressed using a methodology based upon business process modelling.

Are there any pinch points or bottlenecks? These are the areas where the
user might seek to work around controls. Or are there areas where employees
are unsure of accepted practices of working? Involving staff ensures such
issues are uncovered and buy user goodwill into the bargain.

Once this business process analysis is complete, it can then be combined
with a pragmatic security strategy that applies controls where they are
needed, rather than simply taking a blanket approach.

Lastly, acknowledge and prepare for a compromise. Foster an environment of
disclosure and you’ll find staff are more open and less likely to cover up
a data loss incident, which could make the situation far worse in the long
term.

Data loss is never going to be eradicated. But we can at least prepare and
empower rather than debilitate staff with security mechanisms.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!