Hardly
a day goes by without news of another data
breach. It's safe to say that we live and work in risky times. But there's
a growing recognition that cybercriminals aren't the only threat—or even the
primary threat to an enterprise. "There's a far greater need to educate
and train employees about security
issues and put controls and monitoring in place to increase the odds of
compliance," says John Hunt, a principal in information security at
consulting firm PwC.
It's
a task that's easier said than done, particularly in an era of BYOD, consumer
technology and personal clouds. According to Jonathan Gossels, president
and CEO of security firm SystemsExperts, it's critical to construct policies
and security protections around two basic areas: malicious insiders and those
who inadvertently breach security. "The best security program in the world
can be undermined by ill-advised behavior," Gossels explains.
Construct
effective policies.
Surveys indicate that many workers are not adhering to existing policies. In
some cases, they simply disregard them. "The thing that you have to keep
in mind," notes Hunt, "is that policies must be clear, understandable
and not interfere with the ability of people to get their work done." If
an organization is struggling with non-compliance and shadow IT, then it may be
time to reexamine policies, as well as the underlying systems and tools the
enterprise has in place. "Many organizations have older policies that
don't take into account today's tech tools, such as iPads and other portable
devices," says Hunt. The policies should also extend to contract workers and
freelancers, he notes.
Educate and
train employees.
One of the biggest problems, says Gossels, is weak passwords and workers
sharing passwords. He recommends educating employees about the use of strong
passwords. It's also essential to teach employees about increasingly sophisticated phishing
techniques. And executives, including CEOs, make the mistake of clicking
bad links. "When you receive an e-mail from the Better Business Bureau or
a fax that looks legitimate, it's very easy in the rush of the moment to click
it," says Gossels. It's critical that employees learn to hover over links.
Some organizations also use simulated phishing and spear phishing attacks to
identify careless workers. Finally, employees must understand the risks of
using personal clouds, USB drives, and other media to share and store sensitive
data.
Develop controls
that match policies.
It's one thing to introduce a collection of security policies, it's another to
build controls that effectively enforce them. According to Gossels, any time an
organization introduces a policy, it should also consider how to build in
technical controls, preferably automated ones. "The less you leave things
to humans and chance, the better off you will be," he says. That means
using mobile device management and media asset management tools, two-step
verification, encryption, endpoint security, and other security measures. It
also means looking for so-called low and slow approaches that frequently fly
below the radar. But, more than anything else, it means mapping threats to
policies and security systems—and ensuring that tools are in place to wipe lost
or stolen smartphones and tablets, when necessary. Hunt adds that it's crucial
to consider, when adopting policies, how long it will take to build the matching
controls. He sees often companies lagging by nine to 12 months—or more.
Monitor activity
and access from all endpoints. There's a growing focus on monitoring
the network and endpoints for unusual activity and odd behavior, Hunt explains.
"If you detect activity that doesn't fit the norm of a person's role, then
it's a good idea to take a closer look at the situation," he points out.
In fact, even if an organization embeds role-based policies and controls in its
IT systems—something that's generally viewed as a best practice—it's wise to
monitor activity and look for anomalies. Networks and systems are particularly
vulnerable during mergers and acquisitions and during transitions to different
or new systems.
No comments:
Post a Comment