Who’s Responsible for IT Security Breaches?
The short answer is, YOU. Well, maybe not all the time; but according to a 2006 study by the Computing Technology Industry Association, 60% of all data breaches were the result of human error. I know, you spent gobs of money on firewalls and spam filters and anti-malware (viruses, worms, Trojans, spyware, adware, etc.) programs, but the fact of the matter is that even the best security technology is only as good as the people who are using it.
The Danger of Great Technology
During the 1990s, the United States gutted its human intelligence capability. Why? Because we had great technology, satellites that could read a newspaper headline from orbit as well as eavesdropping and other technologies that convinced the administration that we could forego the expense and danger of sending people to gather intelligence. It didn’t take too long to see the problems with this approach as consequence followed consequence. The same concept applies to Internet security technology.
It is very easy to become complacent behind your firewall, to take it for granted that the good folks at Symantec will protect you. Don’t think these technologies have no place—they certainly do—and don’t imagine that your investment is wasted. You need the firewall as well as the anti-malware software but that is merely the first step. It is the least you can do, like relying on satellites to catch terrorists. In fact, the very same lesson learned about the need for human intelligence applies here as well: You need your people on the ground doing their part to maintain security.
On Being Human
Human beings make mistakes. It happens all the time and it’s not likely to change. Your employees will make mistakes, not from malice or stupidity, but simply from being human. For example, an employee might fall for a phishing scam. Take a look at the following screen shot:
Looks legitimate, right? It isn’t. It is a phishing scam set-up to make the victim think it is Ebay’s log-in for conflict resolution. If the victim were to log in, they would open themselves—and probably your company network as well—to data theft and all sorts of other mischief. Of course, phishing and other Internet scams are not the only threats your company might face. Some of the others include people coming on premises to steal information, bogus requests for information coming through the e-mail system, threats to wireless local area networks—especially to laptops being used by business travelers—and the possibility of data loss through physical theft are all possible as well. This is why training and education are so important.
Five Best Practices
In its most recent white paper on the subject, “The People Problem: Five Best Practices for Mitigating Human Factors in IT Security,” TraceSecurity, a Louisiana-based provider of security compliance and risk management solutions, identified five best practices that should be implemented to decrease the possibility of human error resulting in a damaging IT breach. By following these practices, the authors hold, security would be increased and the company’s exposure to legal liability in case there is a breach will be minimized since the company will be able to demonstrate that they took all possible measures to protect the sensitive data for which current regulations make it responsible. These best practices are:
- Defining appropriate policies and procedures governing employee behavior in regards to information security.
- Educating employees about the policies and procedures relevant to them.
- Verifying their understanding of relevant policies and procedures.
- Discovering and addressing behavioral shortcomings.
- Managing change over time including changes in staff, changes in the IT environment, and changes in the present threat.
Defining Appropriate Policies and Procedures
Proper workplace behavior is the result of a combination of policy and procedure. The policy states the goals of the company while the procedure addresses how those goals are to be reached. The key here is to develop a list of the desirable behaviors you want to engender in your employees, such as restricting access to personal e-mail to minimize viral threats, and then to develop clear and consistent policies and procedures that support those behaviors.
A well-educated and security-conscious employee is your best defense against an IT breach. A general employee handbook is fine, as far as it goes, but it is really not reasonable for all employees to know every rule and regulation—especially those that do not necessarily pertain to them. A better approach is to concentrate their education on those topics that are specific to their job functions. This reduces the amount of material they have to wade through to find the rules that cover them and it also makes for a better use of training time.
Verification of Understanding
Once an employee has been trained, it is necessary to verify that they understand what they have learned. Testing and retraining, where appropriate, should be implemented to make sure that everyone is up-to-date on the latest information. This will help ensure compliance with regulatory standards. Testing can be oral, written, online or practical, with actual penetration being attempted by company operatives who will then evaluate the performance of the employee(s) being tested.
It is up to you to figure out why people are making mistakes. Is there a gap between policy and procedure? Does the employee understand that they are creating a problem or is it something else? To handle this, you have to have a system in place for discovering and then fixing such problems. It should first check the employee’s understanding and, if that is lacking, then take steps to eliminate the threat exposure while retraining the employee. Of course, if the behavior is malicious in some way, that is a different story.
The one, true constant in the world is change. How you manage that change, within your business or without, will determine to a great degree if that change is harmful or beneficial. Change in business is often accompanied by uncertainty and turmoil within the changing organization. This can leave you vulnerable to an IT breach unless you update your policies and procedures to compensate. Determine how the change affects your IT security and respond accordingly. Is there a new threat you are unprepared for? Research it and find a solution. Are you losing a key person? What do you have to do to make sure that things run smoothly until a replacement is found? The key is to try to figure all this out beforehand.
After some research into the connection between human error and IT security threats, you may find that much of what is in these five best practices requires a level of expertise that you don’t have. Don’t let this deter you. Finding expert help now can save you a great deal of trouble later and prove to be far less expensive in the long run.
But why would you need to implement all of this now? The short answer is that disaster has not yet befallen you so you have a chance to prepare. Some companies are not so lucky. Aside from that, there are three other good reasons:
- It is a regulatory necessity. By using best practices in this area, you not only mitigate risk, you mitigate any potential legal liability arising from an IT breach that you might face.
- It is a smarter way to spend your money. Since all the money you spend on computer security only takes you half-way, it makes sense to cover the remaining exposure and that is done by dealing with human factors. In fact, by dealing with those issues, you may well be able to cut down the money you spend on IT security technology.
- Affordability. Initiatives such as these can be very affordable, but they do require vigorous management backing and buy-in by the entire staff. In addition, human factor mitigation can be implemented step-by-step, rather than all at once, which would spread-out the cost and make the new rules easier to adopt.
According to the FBI’s Computer Crime and Security Survey, the average cost of an attack originating from outside an organization is $57,000. The average cost of an attack coming from within an organization is $2.7 million. Isn’t it worth looking into for your business?