Do you think all of the bad guys are sitting in smoke-filled rooms in the Chinese war ministry? Do you think your network is safe if you prevent people from getting to the Internet too openly? Ah, if only that were true. The fact of the matter is that one of your biggest vulnerabilities is sitting among you. Some are malicious and some are accidental. Some researchers believe that the percentage of incidents due to insider threats may be as high as 55%!
Long story short — the average user is a significant source of your IT and data security risk. Unfortunately, they haven’t invented the tech to fix this yet. There’s no PEBCAK firewall. There’s no keyboard-to-CPU Intrusion Protection System. All you can do is implement/enforce thoughtful policies and enter the train-assess-remediate carousel of user security awareness management. Treat it like a shared responsibility. Below are some tips to make sure you’re thinking holistically about the issue and how you and your employees can work together to make it better.
What can YOU do?
IAM — Implement a thorough Identity and Access Management (IAM) program. This means making sure that everyone who needs to get to data can get to it, and those who cannot, cannot. Classify your data. Declare your roles. Implement and automate the execution of your mapping rules. And check yourself frequently.
Rotate jobs — This is a pretty easy one. If your people are subject to the scrutiny of others doing the same job from time to time, they’re less likely to manipulate their position of power to exfiltrate data. Also, a little cross-training is always a good thing to ward off those mythical buses and lottery tickets.
Train and Reward/Punish — Insert your favorite psychological theory here. But go one way or the other. Do security awareness training regularly. Perform social engineering tests using online tools like PhishMe or PhishingBox. Those users who pass get a cookie. Or those who fail lose some of their bonus. Like I said – I’m not an expert in what motivates your people. But figure it out and use it to your advantage.
What can EMPLOYEES do?
Lock your screens — I know it’s stupid. But when I see someone walk away and leave their session unattended, it sends a shiver up my spine. Not only are you subverting the IAM process (i.e. people who shouldn’t, can now get to things you can get to), you’re also putting yourself at risk of someone taking a nefarious action on your behalf. You don’t need that headache.
Don’t be stupid with your passwords — Use Post-It Notes for their original intent – wallpapering the office of the guy who’s on vacation. Don’t use them as a sub-keyboard password vault. Don’t store passwords in a text file on your home drive. You’re not fooling anyone. Use an online password vault. Or just pick passwords with an effective mnemonic.
Author’s Note: Come to think of it, I think I’ll do a post on this topic as a whole in a few weeks.
Be vigilant — If you see something, say something. This doesn’t just apply at bus stations. If you do an overlapping job with someone else, and their methods smell funny, don’t keep it to yourself. You’re the first line of defense.
So… Long story short, we are all potential insider threats. Even the execs (especially?). It’s not optional anymore to be a security person. Information Security not just that department that takes joy in making our lives difficult. Do your part as an employer or as an employee. Security is not easy when bolted on, but if it’s part of your expected behavior, it’s not too bad. And the rewards are vast.