By Malcolm Harkins of Cylance
The security perimeters of the past just aren’t cutting it anymore. Just look at the high-profile national security breaches by insiders like Edward Snowden and Chelsea Manning. Insider threats like these have become a considerably more prominent issue in the past few years. And you only need to look so far as your organization’s favorite coffee shop or the connected devices in every home to see how easy it could be to accidentally share confidential or proprietary information to prying eyes and ears.
In the past, we could rely on technology to protect your confidential information and protect your workforce. But more and more users bypass these security measures, and these problems will only expand as the internet of things continues to grow. You can no longer expect your workforce to refrain from interacting with the world outside of your organization’s security precautions. If controls hinder employees’ activity, they can stifle business innovation altogether. In return, employees may react to this control friction by bypassing the controls whenever possible and, as a result, could end up creating new risks.
But these changes don’t mean you should just throw in the towel on security. Instead, your employees are now another line of defense for your confidential information. Their decisions can have as much impact on security as the technical controls we use. It’s time to take a new approach to information security and view people as the new security perimeter.
Creating A More Secure Workforce
So how can you make sure that your people practice sound security practices?
1. Deter. Start by building security awareness and instilling a culture of commitment by creating a great place to work. If you do this, your employees are less likely to get disgruntled and will, in turn, not want to harm the company. Train employees on security awareness, such as locking and encrypting their systems, choosing safe passwords and only sharing confidential information with those that need to know. You should also let people know you’re monitoring their activity. Showing users their activity reports can help involve them in the effort to protect the business and it also lets potentially malicious insiders know they’re being watched.
2. Detect. Once you’ve created a committed workforce, you can trust that they will tell you if they see something suspicious. Train your workforce to report when they see something suspicious and to hold each other accountable. You should also utilize user behavior analytics tools, as they have become increasingly effective at finding irregularities in access permissions and user activity, as well as recognizing whether users’ actions merit investigation. You could also form a team that focuses on insider threats and investigations. This team should operate as a cross-functional team with involvement from human resources, legal, physical security and information security groups.
3. Discipline. Of course taking many precautions doesn’t always prevent insider incidents from occurring. When one does occur, there are different actions that you should take, depending on the intent and the impact. If it’s an honest mistake without a big impact, conducting immediate remedial training may be the best remedy. If the impact was low, and the incident seems more like an error of judgment than a malicious act, a less heavy-handed approach may be appropriate, such as a written warning or a comment in the person’s performance review. If the intent is clearly malicious, or the impact is significant, consider the options of termination and even engaging law enforcement.
At the company I was working for a few years ago, a senior manager kept leaving his laptop unattended in the cafeteria at lunchtime. After talking to him about it a few times, I started taking his laptop and leaving my business card in its place, much to his frustration. He didn’t see how his leaving the laptop unattended was a security risk, so I told him he was welcome to leave it unattended on one condition: he take off his wedding ring and leave it there too. He thought about this for a while, then said, “You’ve made your point” and he stopped leaving his laptop lying around. Sometimes a quick reality check is all it takes to educate your employees.
Striking The Right Balance
One good thing about this new security landscape is that innovative security technology is becoming available. Artificial intelligence and machine learning have given us great new potential to prevent malware more effectively on every type of device. In return, the adoption of this technology should result in a substantial reduction in risk.
With this new technology, it could be tempting to dial back your security awareness efforts. However, it will always be imperative that you maintain a level of diligence and discipline in security and privacy awareness for your workforce. In today’s digital world, you will be able to shift the emphasis of training toward prevention and future risks, as well as focusing on how you should design, develop and deploy technology that better protects privacy and resists attacks.
At the end of the day, it doesn’t matter how good your technical controls are if your people don’t act as part of the perimeter. We need to create a sense of commitment and privacy ownership among our employees. If we succeed in this goal, we will empower employees to help protect the enterprise by making better security decisions both within and outside the workplace.
Malcolm Harkins is a long-time security veteran with over 25 years of industry experience. In his current role as Chief Security and Trust Officer at Cylance, he is responsible for enabling business growth through trusted infrastructure, systems, and business processes. He also directs peer outreach activities to drive improvement around the world in the understanding of cyber risks and best practices to manage and mitigate those risks.
The views, opinions and positions expressed within this guest post are those of the authors alone and do not represent those of CBS Small Business Pulse or the CBS Corporation. The accuracy, completeness and validity of any statements made within this article are verified solely by the authors.