Employees are the Missing Piece of the Security Puzzle

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infosecurity-magazine.com/opinions/employees-missing-piece-security/

Companies spend a significant amount of their IT budget on security
systems, from firewalls to data loss prevention (DLP). None of these will
be successful unless people adhere to them, yet a survey found that almost
a quarter of employees believe data security is not their responsibility.
Many behave in ways that heighten the risk of data loss, whether knowingly
or accidentally, innocently or maliciously.

To ensure corporate security is maintained, organizations need to develop a
security-conscious culture in which employees adhere to policies and
procedures. The list of considerations will differ for each organization.
For some, the risk is primarily the loss of sensitive corporate data,
whereas for those developing innovative new products commercial espionage
is a concern. There are also ever-stricter statutory compliance and
governance obligations, such as the Sarbanes-Oxley Act and the Payment
Services Directive.

It is essential to define security policy and obtain employee buy-in and
commitment before looking for technical solutions. Users need to understand
why security is important and the consequences of getting it wrong. They
are much more likely to comply if they understand the risks rather than
simply seeing security as a set of annoying rules which prevent them
working as they wish.

Security policy should be enforceable, realistic, acceptable to users and
not violate personal privacy laws. There should be no ambiguity and
everyone should be clear on exactly what is and is not allowed, as well as
the penalties for policy violations.

Being realistic means understanding and taking account of employee
behaviour. In many instances an increasingly technically aware user
population is simply configuring its own remote and email access outside
corporate IT security guidelines, or bringing personal devices into the
office, connecting them to the corporate network. These devices can then
potentially be used to store sensitive corporate information. IT teams need
to acknowledge this and define their policy to handle this situation. They
should also encourage users to come to them for advice on using personal
devices. A combination of stick and carrot is the most effective solution.

User education is essential. For example, a key control that may be used to
protect data is disabling the use of USBs or other mobile storage devices.
This usually proves to be an unpopular decision and so user education and
awareness training must be an important part of implementing this control.

It is also vital to obtain board level commitment. Too often we see that
the implementation and management of information security is left to the IT
department.  Security policy needs board level commitment before
implementation, executive sponsorship during implementation and user
education at all levels to ensure everyone understands what they need to do
and the penalties for policy violations. These penalties should be equally
applicable at all levels of the organization. If the MD wants to connect a
new tablet to the corporate network, this must be done in accordance with
corporate security policy, and be subject to the appropriate penalties for
any non-compliance.

Implementing security policy also means obtaining commitment from the
various data owners within the organization, who should be responsible for
managing and keeping their data safe once the security solutions been
implemented. They can use DLP tools, for example, to define granular and
specific policy and reporting requirements appropriate to their needs.
Typically the security problems we see occur where users are allowed to
store data on their own machines. Data owners should also be given
responsibility for ensuring that data is consolidated in a central network
location, as DLP works best when data is organized and structured.

Another area where employees can threaten corporate security is their use
of passwords. Today we need to access an increasing number of systems, many
of which are no longer hosted internally, with more authentication
requirements and multiple and more complex passwords. The result can be
passwords on post-it notes, users reusing the same passwords, or avoiding
logging out. Most organizations have implemented policies to try to
eliminate this type of behaviour, but it still persists, leading to
increased security and compliance risks.

One solution is single sign-on, which can be provided through the cloud and
used to authenticate against almost all IT services available today. It
provides a central account or identity and provisions this into target
systems, such as Active Directory and SAP. This manages user authentication
and entitlement (depending on their role), compliance and provides user
self-service. Adding the cloud enables single sign-on to web services and
access to on-premise applications from any location, and enables the system
to act as an IDP for cloud/extranet services and SAML. The result is
enhanced application security and improved compliance, as well as reducing
the number of service desk calls for lost passwords

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!