Data breaches have come to be expected. With Australia’s new mandatory data breach notification laws now in place, the Office of the Australian Information Commissioner (OAIC) was informed of 63 breaches occurring within the first six weeks of operation.
Over half of these can be attributed to “human error” – whether by a negligent employee who’s left a laptop out where they shouldn’t, or perhaps an easy-to-hack password or default administrative username compromised by hackers. Regardless, these breaches ended up occurring, resulting in lost money, time and reputation, leaving many attempting to catch up their defenses in time for the next attack. Of course, organisations are likely to have multiple layers of security in place to safeguard against such occurrences. But are they protecting the actors at the core of their security vulnerability.
Where do you see your security?
It’s clear that the way we used to protect our enterprises is no longer enough, meaning organisations need to consider where they see their security. The network perimeter has dissipated, with employees no longer working within corporate buildings. Therefore, simply putting a perimeter around the network cannot effectively protect all employees.
In addition, hackers have become increasingly skilled at finding alternative methods by which to gain entry. The most popular method, by far, is us. People are far easier to crack than a 512-bit hash. At any large organisation, the number of entry points for a hacker is as populous as the number of users they let into their systems. To the hacker, the possibilities seem endless.
Part of the problem facing IT decision-makers today is not just that each user in their infrastructure is a point of access, but that there are also many ways in which that user can be manipulated. From social engineering through social media platforms and phishing scams, to mere employee negligence, it only takes one click to be compromised. Along with each point of exposure, there is a person – an identity – associated with it. More often than not, it’s people that end up either causing or being responsible for loss of information, whether it is malicious or negligent in nature. This is why many decision-makers are arguably looking in the wrong place to secure their organisation, as they fail to secure one of their most vulnerable entry points – their people.
Are you looking in the wrong place?
Just as there are multiple ways for attackers to find their way in, organisations have built many methods by which to protect themselves. Network security, for instance, is an important part of an organisation’s security infrastructure. Likewise, endpoint security to safeguard smartphones, laptops and tablets is also vital. While these security structures are all important within an organisation, the fact remains that if the entry method of choice for malicious actors is the users that connect to an organisations’ resources, protecting those identities must be a top security measure.
Identity management lies at the centre of security today. It is a much larger and more complex problem than just giving employees access to apps, systems and data – it’s about managing and governing the digital identities that get access to sensitive data whether it resides in systems, cloud apps, or in files and folders. Identity goes beyond the network, tying into both endpoint and network security to ensure that all of the pieces of an organisation’s security infrastructure work together.
With more systems, applications, data and users than ever before, IT decision-makers need to understand that their security must start with knowing who has access to what within their organisation and ensuring that those vulnerable entry points are secured. Attackers target people for a reason, so organisations must make sure they are looking in the right place when it comes to protection.