It’s every security professional’s nightmare, come to life: A security breach that starts with a phishing email. After all, there’s no firewall in the world that can prevent an end user from clicking on the latest ploy; losing their cell phone, complete with corporate email addresses; or sending proprietary data using the public Internet.
How, then, can security professionals protect their enterprise, knowing full well that end users pose a potential (if accidental) risk? We reached out to industry influencers and security experts to find out. The answer starts with the end users themselves, and incorporates education, involvement, and awareness—from the top down.
Don’t rely on technology alone
People are central to any security policy, and companies can’t rely on technology alone.
“There is no AI better with pattern recognition than trained human beings. Sure, computers perform these repetitive pattern-matching tasks faster than humans, but machines cannot identify anomalies or predict security flaws as reliably as humans,” notes Scott Schober (@ScottBVS), Cybersecurity expert, President/CEO of BVS, and author of Hacked Again.
“After all, people are behind as many attacks as they are behind the vulnerabilities that make these attacks possible,” he says. “That is why it is important for people to always be involved with every stage of IT security, no matter how much AI power is thrown at a task. Humans need machines to accelerate their work as much as machines need humans to double-check their overall security effectiveness.”
Jeff Cutler (@JeffCutler), technology journalist, agrees that companies cannot rely on technology alone. “A people-centered approach is still...before AI becomes hundreds of times better...the best way to determine and ensure true security,” he notes. “As much as we program automated defenses, they're still susceptible to an organized, well thought-out attack. That's why breaches often happen. Companies are continually letting down their human line of defense and relying on their 'intelligent' technology. If an organization is serious about maintaining a barrier to their network and data, humans still need to be involved.”
“Improper password hygiene, use of unsecured devices, and mistakenly clicking on phishing emails are just three examples of how busy, overworked and under-informed people commit the exact types of errors that bad actors want them to,” says Steve Prentice (@StevenPrentice), Senior Content Producer.
Layer in Training and Awareness
“A people-centered approach to IT security starts by training people on critical thinking, time management, and ongoing awareness of how cyber threats seek vulnerable points of entry,” he continues. “Management must focus more on communicating with IT on how to continually drive home a message of street-smarting employees. Only then can the network perimeter and its access points be made safer.”
Jessica Marie (@thoughtcosm), Principal of Product Marketing at WhiteHat Security, would agree. “When we take a people-centered approach to IT security, we begin to educate and empower employees to understand the risks and make better decisions,” she says. “This means that executives and senior managers must lead by example. It is often said that people are the weakest link when it comes to enterprise security. It’s not a technical problem, it’s a people problem, and a mindset problem.”
Simply put, ongoing awareness training is mandatory. “It is a well-known axiom in the security industry that corporate networks are like candy bars which are hard on the outside and soft and chewy on the inside. Essentially this means people are often the path of least resistance with regards to data breaches whether because of human error, malicious intent or social engineering,” says Robert Siciliano (@RobertSiciliano), Identity Theft Expert and CEO of IDTheftSecurity.com. “An enterprise information security architecture that incorporates ongoing security awareness training is an essential component to the dissolving network perimeter.”
Education is foundational – but so is changing an organization’s culture, says Ed Featherston (@efeatherston), VP Principal Architect Cloud Tech. Partners. “One of the biggest challenges and weakest links … we face are the people,” he says. “This comes from 2 perspectives. First is a culture. There is a tendency to be reactive when dealing with security issues. Instead of a security-first approach which has both proactive and reactive components and processes, many organizations adopt a ‘it won’t happen here’ attitude.’”
The second challenge, he notes, “is individuals quite honestly still clicking on phishing emails. Almost every major breach in last year started there. Both issues are people centric.”
Teams, trust, and consequences
A team approach is at the center of any people-oriented approach, as is trust. But so, too, are consequences, say others.
“Ultimately, security is a team effort. While unorthodox, using a people-centered approach to IT security is about expanding the team,” says Will Kelly (@willkelly), technical writer. “When you stand up the right team, the wall between business and IT comes down and they can become collaborators if not even partners. Such an epic change in culture makes it easier to reinforce appropriate security behaviors amongst the business users.”
“Another outcome is data governance policies become a true collaboration, not a decree from a nameless, faceless IT drone,” he continues. “Such an environment becomes less about IT enforcing arbitrary security policies to a more balanced IT security strategy because of business and IT engagement enables trust, feedback, and iteration to support security over your network perimeter and business critical data.”
Kevin Jackson (@Kevin_Jackson), Director Cloud Solutions & Technical Fellow at Engility Corporation, believes consequences are important. “A human-centric approach to IT security requires an organizational culture of trust and enforceable IT governance. The former is difficult to establish and the latter is hardly ever true,” he notes. “Such a rare environment can only be realized if the penalty for organizational data loss is severe, immediate and independent status or rank.”
Foundational security measures
No matter the approach, and the involvement of users, every security professional should use multiple layers to protect the enterprise, starting with the least-privilege model.
“Organizations should focus on defining a least-privilege security model for each permanent or temporary role a user may inhabit, and then apply those roles to every device, server, and service that an individual may interact with over the course of each day,” says Kayne McGladrey (@kaynemcgladrey), Director of Information Security Services at Integral Partners.
“Organizations need to move past the quaint but antiquated concept of a network perimeter and recognize that the only measurable unit of security is the individual. Individuals include employees, project team members, contractors, third-party service providers, customers, prospects, and guests at a minimum. “
From there, Thomas Willingham (@GotTWilling), Product Marketing Leader and Evangelist, suggests a 4-layer approach that includes identity, mobile devices, data, and desktop virtualization.
“Identity is how the user is uniquely identified to data and resources, both on-premises and in the cloud,” he says. “Enable features such as single sign-on and Multi-Factor Authentication (MFA) to ensure user identity is protected. Identity-driven security that monitors for atypical user behavior should also be deployed.
“Mobile devices and applications involves ensuring mobile devices and the applications used on these devices are secure and meet specified standards,” he continues. “Enable features such as conditional access to ensure applications and data are kept secure and separate from personal information on user owned devices.
When it comes to data, “ensure that data is kept secure both at rest, and in transit,” he says. And last but not least, for desktop/application virtualization? “Ensure the user has access to Windows-based applications consistently across all devices and platforms,” he notes. “Data and resources are not stored on the local device, so even if the device is lost or compromised, data and resources stay secure.
“Implementing security across these different layers,” he notes,” ensures that not only is the user identity secure, but also data and resources.”
Forcepoints’s human-centric cybersecurity systems protect your most valuable assets at the human point: The intersection of users and data over networks of different trust levels. Visit www.forcepoint.com