By Alan Ryan, Director Security Practice, MTI Technology
errāre hūmānum est, (to err is human) and it is the human that is often the weakest link in the chain when it comes to protecting an organisation against security breaches and threats. But we are all human and we all make mistakes; so what can we do to minimise if not eliminate the risks associated with the “human element”?
As always there are some simple principles that if implemented and adhered to would significantly reduce the potential for error:
1. A true understanding of the security policy
A documented and employee signed security policy is not the same as the employee having read and understood the policy. So instead of hiding a policy amongst starter induction packs, it would be extremely beneficial for organisations to dedicate time to educating employees on the need for a security policy and the rational for the measures contained within it. If employees are informed then they are far more likely to be consciously aware of the risks as they go about their daily duties and knowing the rational, they are less likely to breach the policy.
2. On-going training and policy updates
The world of security is certainly not static and training should not be a one off activity for joiners either! Organisations should consider a continuing programme of education, updating the employees on new threats and breaches that may be happening in their vertical or “hot” topics.
3. Deploying encryption on all corporate devices
Lost laptops and mobile devices are an extremely common area for concern but again some simple effective measures include deploying encryption on all corporate assets, two factor authentication should also be required as a minimum to access the business network. BYOD’s that are not corporate should have formal separation of private/ corporate data with remote wipe and access controls enabled. Maximising the length of time that company information is retained on these devices will also reduce the risks of information falling into the wrong hands.
4. Prioritising security risks
After the basic measures are in place we have to look under the covers a little more at the systems, access rights, privileged accounts, forced password changes, data classification and data loss preventions.
There are only so many hours in a day and only so much security budget so some prioritisation is needed. For example, it is possible to scan the network and discover the privileged accounts and then assess the security risk before investing and embarking on a project that may or may not be required.
There are other solutions that examine the network and discover the interactions that are occurring between users, programs and data so that organisations can review these to see if they are in line with the security policy.
5. Not a one-size fits policy
The policy that is being implemented needs to be right in the first place and fit for purpose for that specific organisation. A little like training, devising a security policy is not a one-off event and regular reviews should take place to take account of any changes that may have occurred such as mergers and acquisitions, use of third parties, use of cloud services and any changes in legalisation.
Can we ever prevent human error? Probably not but that doesn’t mean we shouldn’t try.