In the wake of several high-profile and very public enterprise security breaches – at times it seems there’s one every other week - businesses continue to look closely at the quality of their IT security tools and processes. But while many CEOs turn to the IT department for answers, as much as a source of blame, the reality is human (employee) error remains the root cause of most successful network attacks.
Unfortunately, even the best security tools, solutions and products can only do so much. In order to secure your network, it’s vital that you look closely at who is using the system day in, day out, whether their devices or applications are putting the network at risk, and whether they even realise they’re doing so.
Companies should clearly define and deploy practical security policies that are realistic for their organisation. When a new process or policy is established, security training across the entire business is essential to ensure these processes are understood, implemented and followed appropriately to reduce risk. A combination of technical controls and employee education is vital and the former will not work without the latter.
With an emphasis on visibility, a thorough approach to IT security needs to begin with a full audit of sites and applications your employees need legitimate access to in order to complete their work. With this information, it’s easy to identify those sites which are necessary but unsecure, and then liaise with partners and vendors to secure them. From here, it’s also important to assess technical controls required to limit user permissions. And finally, communicate and demonstrate these to staff. For employees or departments resistant to change, a simple demonstration of how easy it is to capture data sent over the network will really help to illuminate the very real risk and is likely to resonate across the organisation- right up to the C-Level.
It may seem obvious, but the best way to protect a company is to make sure that staff at all levels, understand the security risks associated with accessing unsafe websites, storing and accessing data via cloud services that haven’t been approved by IT, using weak passwords and not properly encrypting sensitive information. One of the most critical success factors to avoiding a security breach is to ensure staff are working in unison with IT, not around them. For example, if an application such as Google Docs is officially approved in your organisation, it doesn’t pose much of a problem, but if staff are circumventing IT controls in order to use the application, it could then become a significant risk.
Although applications such as Google Docs may be secure in and of themselves, IT has less ability to manage risk if they aren’t aware that these services are being used in the first place. Similarly, many mobile applications and web based games also create gaping security holes. The latest trendy Flash game circulating your office might actually be malware, or open your organisation up to attacks by prompting the user to install malicious software. Mobile apps also collect geo-location and other private data that could also be used to learn more about your behaviour and office security procedures.
To navigate this, IT and HR departments should collaborate to develop in-depth, easy to understand training programmes that can be rolled out across the business. While many employees may not understand the technical details of enterprise security, they should be aware of the basics – such as, never click a suspicious link in an email, lock your computer when you step away, choose secure passwords, don’t send sensitive material outside of the company (even to your personal email address) and minimise the sensitive information stored on your personal machine (versus leaving on the server).
IT security is a constantly evolving beast and this requires employees to be educated regularly on how to keep themselves and their business secure. Attending one training session as part of a new employee orientation is not sufficient. Conducting simple and relevant internal security workshops on an ongoing basis however will help employees learn about breaches and their potential impact on the business – perhaps even encouraging employees to become aware of their own personal IT security.
Nevertheless, employees are far more likely to support policies and procedures once they fully understand the consequences and reasons behind them. Businesses must be prepared to invest in training for the long term and as the network develops and grows in complexity, so too must your employees’ educational journey. To avoid human error, a human-centric approach to information security must be adopted.
Blast from the past?
Try our new Space Invaders inspired video game NOW.
What score can you get ?