IT leader’s guide to reducing insider security threats
September 24, 2017
Insider threats can pose even greater risks to company data than those associated with external attacks. In fact, employees are responsible for nearly half of IT security incidents every year, according to a recent report from Kaspersky Lab and B2B International. This ebook offers a look at where the risks lie and what you can do to mitigate them.
From the ebook:
Employees are a company's greatest asset, but also its greatest security risk.
"If we look at security breaches over the last five to seven years, it's pretty clear that people, whether it's through accidental or intentional introduction of malware, represent the single most important point of failure in terms of security vulnerabilities," said Eddie Schwartz, chair of ISACA's Cyber Security Advisory Council.
In the past, companies could train employees once a year on best practices for security, said Wesley Simpson, COO of (ISC)2. "Most organizations roll out an annual training and think it's one and done," Simpson said. "That's not enough."
Instead, Simpson said organizations must do people patching: Similar to updating hardware or operating systems, you need to consistently update employees with the latest security vulnerabilities and train them on how to recognize and avoid them.
"Your people are your assets, and you need to invest in them continually," Simpson said. "If you don't get your people patched continually, you're always going to have vulnerabilities." Even in a company with hundreds of employees, it's worth training them as opposed to taking on the risk of a breach, he added.
However, it's important to empathize with your employees as well, said Forrester analyst Jeff Pollard. "People represent a large potential attack surface for every organization. The reason I don't like to think of people as a security vulnerability is that it encourages a blame the victim mentality. Security teams exist to protect information, people, and the business."
When a user makes a mistake and clicks on an email that causes an infection, we often think that was the cause, Pollard said. But that's not actually the case—the organization was already under attack when the attacker sent the email, before it was opened. It also means every other security control in the path of that attack failed.