8 months ago


human error THE FINGER

human error THE FINGER OF BLAME EMPLOYEES ARE A COMPANY'S GREATEST ASSET. BUSINESSES SAY SO EMPHATICALLY. BUT SOMETIMES THOSE SAME EMPLOYEES ARE THE ONES WHO SPARK A DATA BREACH, ALBEIT UNWITTINGLY, THROUGH CARELESS ACTIONS - OR LACK OF PLANNING ON THE PART OF THEIR BOSSES It's generally acknowledged, with real passion and sincerity, that employees are a company's greatest asset. Indeed, without the know-how, dedication and commitment of the workforce, no organisation is going to be successful. And yet this is a double-edged sword - because, in the often dark underworld where security resides, those same people can also be its weakness. "To combat this, organisations need to take a two-pronged approach to mitigating human error and ensuring security systems and protocols are up to scratch," says Rob Norris, director of enterprise and cyber security in EMEIA at Fujitsu. "Human error accounts for a large percentage of data breaches, whether that is falling victim to outside attacks exploiting the human interest factor or an inadvertent mistake. "It is this type of 'shadow IT' activity that poses significant risk to an organisation's data, and highlights the crucial necessity for staff training and creating awareness of technology and how to use it. Unfortunately, controls do not stop everything, so employees should think when they receive emails: 'Was I expecting this? Who is it from? Is it trusted or not trusted? Have I received something like this from the company before?' From a technical perspective, regulating what can be seen by whom, and from where, with strong role-based access controls and building different levels of access to different parts of the company's data is a good place to start, he argues. "This way, businesses can also monitor who is trying to access data that isn't relevant to them, highlighting their potentially malicious intentions, particularly if those logs are recorded in a central SIEM platform. Norris advises that organisations should also look to encrypt their data where possible and "perform regular vulnerability scans of their internal network to understand what vulnerabilities exist". IAM FACTOR Wendy Nather, principal security strategist, Duo Security, argues that, in a real way, identity and access management (IAM) is the embodiment of how the business uses information technology. "It encompasses the stakeholders, the actors, their roles and even their values. The IAM system has to reflect and support all of these, so it's important to start by understanding them. This isn't easy. There are unwritten assumptions everywhere. Who owns the data and who is the steward? The answers determine who must give permission for access and what information they will rely upon to make those decisions. Who vouches for the identity of each person using the system, whether it's an employee, a partner, a student, a citizen or a customer? "The issues get more complicated whenever one person plays multiple roles: for example, in the moment that a doctor becomes a patient herself, the identity and access rules change, because, under regulations such as HIPAA, the nature of her own data changes." As a user base grows, the trend in IAM is to push out these business decisions as closely as possible to the key decision makers, not to keep them centralised in IT administration, she adds. "Self-enrolment and re-certification ease the friction for people who just want to make their purchases or get their work done. Federation can also reduce the burden, but, at some point, those data stewards who are 18 computing security March/April 2017 @CSMagAndAwards

human error legally responsible for its protection must still have the final say on access." To increase your organisation's maturity in IAM, look to business process engineering, Nather advises, and make sure to involve legal, compliance, privacy and fraud department input. "The most mature IAM set-ups recognise that business rules change and the IAM system itself must remain agile to reflect that change." KNOWLEDGE BLOCK Returning to education, any such programme needs more than tacit support by the board and must support policies that are seamlessly integrated into employee work patterns. "Boards have become cyber security savvy, but there's more to do," states Graham Mann, MD, Encode Group UK. "There are still too few board members, whether executive or non-executive, with sufficient knowledge of cyber security. This negatively impacts the bi-directional communication channels that are vital to ensure the successful organisation-wide implementation of a security strategy." Cyber security has to become ubiquitous throughout every aspect of the organisation, he adds. "In conjunction with education, we have to accept that security is the responsibility of everyone, not just a few professional security or ICT staff. Data owners have to accept responsibility for managing, tracking and protecting their data; in short, there has to be a data strategy." Security issues like weak passwords are important, but so is phishing, which is a massive problem and is a precursor to a large number of damaging cyber attacks. Unrestricted file access and uncontrolled distribution of data are also major problems. However, all these issues can only be resolved as part of a much broader, homogenous, approach to security. Human failure is a problem that's not going to be eradicated, but organisations can mitigate the issues caused by implementing 'supportive' software solutions. Such solutions can significantly reduce the human vulnerability," says Mann. The information security and/or ICT team(s) should become a centre of excellence for the provision of expert advice and services to the operating or business units. In addition, the legal, compliance, audit and HR departments are also critical to any organisations' security posture. Security both physical and logical needs a joined-up strategy that involves the entire organisation." POOR PASSWORD CHOICE According to Brian Chappell, director of technical services EMEAI & APAC at BeyondTrust, while being the absolute core strength of organisations, people are also still the most likely weakness in IT security. "This is the result of poor choices for passwords, often for critical access into sensitive systems," he says. "There's a general malaise around the use of passwords, often being considered as bothersome, especially when we are forced to construct complex passwords and change them regularly. The habitual use of 'ComplexPassword1', 'ComplexPassword2' etc is still common. We still see the same well-known passwords also being used, the key being that these choices are easier for people to remember. Pass-phrases offer better protection and are easier to manage. 'I like 2 play golf." satisfies most password requirements, with a capital letter, a number and symbol as well as length. It's far easier to remember than '2UKTQLLLTGsL+mvJDdkQRqmi'." Good IT security is achieved through layers. Passwords are one layer and should only provide access to a standard user account, never directly to any account with privilege. "By using passwords as that initial access layer, you reduce the risk attached to them," adds Chappell. "By using pass-phrases, they need to be rotated less frequently, enabling people to use good, unique passwords without dropping an ever-incrementing digit on the end of them. Rob Norris, Fujitsu: organisations should also look to encrypt their data where possible. Wendy Nather, Duo Security: make sure to involve legal, compliance, privacy and fraud department input. @CSMagAndAwards March/April 2017 computing security 19