Let’s talk about your human network security risk

Author: Mav Turner, Director of Business Strategy, Security, SolarWinds

In the wake of several high-profile and very public enterprise security breaches – at times it seems there’s one every other week - businesses continue to look closely at the quality of their IT security tools and processes. But while many CEOs turn to the IT department for answers, as much as a source of blame, the reality is human (employee) error remains the root cause of most successful network attacks.

Unfortunately, even the best security tools, solutions and products can only do so much. In order to secure your network, it’s vital that you look closely at who is using the system day in, day out, whether their devices or applications are putting the network at risk, and whether they even realise they’re doing so.

Companies should clearly define and deploy practical security policies that are realistic for their organisation. When a new process or policy is established, security training across the entire business is essential to ensure these processes are understood, implemented and followed appropriately to reduce risk. A combination of technical controls and employee education is vital and the former will not work without the latter.

With an emphasis on visibility, a thorough approach to IT security needs to begin with a full audit of sites and applications your employees need legitimate access to in order to complete their work. With this information, it’s easy to identify those sites which are necessary but unsecure, and then liaise with partners and vendors to secure them. From here, it’s also important to assess technical controls required to limit user permissions. And finally, communicate and demonstrate these to staff. For employees or departments resistant to change, a simple demonstration of how easy it is to capture data sent over the network will really help to illuminate the very real risk and is likely to resonate across the organisation- right up to the C-Level.

It may seem obvious, but the best way to protect a company is to make sure that staff at all levels, understand the security risks associated with accessing unsafe websites, storing and accessing data via cloud services that haven’t been approved by IT, using weak passwords and not properly encrypting sensitive information. One of the most critical success factors to avoiding a security breach is to ensure staff are working in unison with IT, not around them. For example, if an application such as Google Docs is officially approved in your organisation, it doesn’t pose much of a problem, but if staff are circumventing IT controls in order to use the application, it could then become a significant risk.

Although applications such as Google Docs may be secure in and of themselves, IT has less ability to manage risk if they aren’t aware that these services are being used in the first place. Similarly, many mobile applications and web based games also create gaping security holes. The latest trendy Flash game circulating your office might actually be malware, or open your organisation up to attacks by prompting the user to install malicious software. Mobile apps also collect geo-location and other private data that could also be used to learn more about your behaviour and office security procedures.

To navigate this, IT and HR departments should collaborate to develop in-depth, easy to understand training programmes that can be rolled out across the business. While many employees may not understand the technical details of enterprise security, they should be aware of the basics – such as, never click a suspicious link in an email, lock your computer when you step away, choose secure passwords, don’t send sensitive material outside of the company (even to your personal email address) and minimise the sensitive information stored on your personal machine (versus leaving on the server).

IT security is a constantly evolving beast and this requires employees to be educated regularly on how to keep themselves and their business secure. Attending one training session as part of a new employee orientation is not sufficient. Conducting simple and relevant internal security workshops on an ongoing basis however will help employees learn about breaches and their potential impact on the business – perhaps even encouraging employees to become aware of their own personal IT security.

Nevertheless, employees are far more likely to support policies and procedures once they fully understand the consequences and reasons behind them. Businesses must be prepared to invest in training for the long term and as the network develops and grows in complexity, so too must your employees’ educational journey. To avoid human error, a human-centric approach to information security must be adopted.

Blast from the past?

Try our new Space Invaders inspired video game NOW

What score can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags network attacksGoogle Docssecurity riskhuman errorHR departmentsIT SecuritySolarWindsIT department

More about Google

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mav Turner

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place