Managing The Human Factor in Cyber Defense

By Ellen Ozderman, Director of Information Security; and Roman Edmond, Information Security Consultant View Comments

Managing The Human Factor in Cyber Defense

A workforce that includes employees, contractors, vendors and partners can be an organization’s most valued asset in generating revenue—but can also be its biggest threat. A 2013 study conducted by the Ponemon Institute reveals that 69% of data security breaches are a result of insider-related actions such as negligence or mishandling, while only 16% of major data leaks are associated with hackers or outside perpetrators. Human error and omission are often at the root of these data breaches. For example, industry research reports that the most popular stolen passwords posted by hackers are "password.” In many cases there is no technical defense that would have prevented the breaches.

Here are three ways to “socially” influence a security-minded culture within your organization and reduce the ever-growing threats:

1. Tighten Up Hiring, Transferring and Termination Processes

The first thing an organization can do to minimize its insider threat exposure is to implement a rigorous hiring process. This includes conducting proper background checks, interviewing past employers, and verifying credentials. Additionally, organizations should assign risk levels to all position, with the level of investigation paralleling the risk level of the position. As staff move from different roles within an organization, proper oversight should be taken to ensure that account privileges are updated in a timely manner.

In the same vein, a strict termination process can help mitigate the risk of a breach from separated workers, especially those with administrative privileges. The CERT Insider Threat Center stresses that companies should pay strong attention to individuals that are leaving the company as malicious activities typically occur 30 days before or after a worker’s departure date. This could be easily addressed by completing a termination checklist before a worker’s last day. The checklist should be managed by the worker’s direct manager, and the completed checklist should be submitted to Human Resources upon separation. A sample checklist would include:

  • Obtain all company-owned mobile devices or other computing equipment
  • Terminate all physical access, including ID/access badge
  • Terminate all logical access to system accounts
  • Conduct an exit interview to verify all separation activities have been completed

2. Implement Enterprise-wide Insider Threat Awareness and Training

End users within the workforce are often the last line of defense in preventing information security incidents. Security Awareness training should be conducted regularly and address both malicious and careless activities that present threats. The training should analyze existing information security culture, behaviors, and roles and should be designed to increase workforce vigilance.

Ironically, many companies believe they are effective in reinforcing security policies and best practices, but the statistics say otherwise. A recent Forrester report found only 42% of staff indicated that they received security-related training, and alarmingly, only 57% confirmed that they were aware of the company’s security policies. To remedy this, look for ways to incorporate education sessions into your corporate culture. Many companies use National Cyber Security Awareness Month (October) to conduct trainings and leverage this period to refresh policies or procedures. After training delivery, feedback should also be solicited from the workforce to measure and improve the effectiveness of the training.

3. Formalize an Insider Threat Management Process

In order to effectively detect, prevent and respond to unique threats from insiders, organizations should not take a piecemeal approach. Rather, it should be formally integrated with the overall Incident Response process and involved cross-functionally with Human Resources, Legal, Information Technology, and Security. As these threats are realized, a clearly documented response procedure should be implemented with an agreed-upon escalation chain. In addition to the ability to handle current insider threat issues, the Insider Threat Management process should also facilitate proactive development of a whistle-blowing culture and risk reduction of workforce-introduced errors. For example, some organizations have set up an insider threat hotline number which allows individuals to report on potential insider threat activities anonymously.

There is no cure-all formula for insider threats, but the solutions mentioned above are foundational in building a security-minded culture. As financial loss and internal fraud rise, are you too trusting of your workforce? Or are you prepared to respond to these formidable insider threats?

Posted in: IT Security, Business Process Management