As professionals in the technical discipline of Information Technology, it can be easy to forget that the risks that we need to guard against are more than purely technical. While it is true that patches need to be applied, security baselines followed, and firewalls configured – the job does not end there. For many organisations, the real risk to their information security is outside of the datacentre. The problem is not your patching, it’s your people.
A recent report from security vendor Code42 brings into focus that for many organisations the biggest cause of data breaches is the actions of staff, not external hackers.
Of the 38% of companies that admitted to experiencing a data breach in the previous 18 months, half cited employee actions as the cause
Notwithstanding that Code42 market a product that protects businesses against data loss due to the action of insiders, their report makes for interesting reading and underlines the need for businesses to activate their human firewall.
What is the Human Firewall?
The human firewall is the last line of defence for any organisation: it is the humans sat at their desks deciding whether or not to open an attachment or click on a link in an email. In the eternal cyber-security arms race, there will always be zero-day vulnerabilities which are not detected by virus scanners or firewalls and manage to make it all the way into someone’s inbox. And so the last line of defence is the awareness of the risks and the training given to each employee so they make a wise choice before opening an attachment or clicking on a link that may have been sent by an attacker.
How do employees cause data breaches?
Both inside and outside of the IT department, the actions of employees have a very significant impact on the security of an organisation. Considering just the area of data breaches and Intellectual Property theft, there are three categories of behaviour which the modern Security Manager needs to take into account.
They are: Competence, Convenience and Crime
Failings of competence result in flawed system designs or incorrectly implemented technical configurations which leave data accessible or open to modification when it should not be.
Failings of convenience are the well-meaning actions of employees, trying to do their day job, taking copies of sensitive data to work on, and storing or transporting it in a manner which is less secure than it deserves.
Failings of crime are the deliberate actions of employees to steal data and intellectual property from the organisation and make it available to a third party.
How to mitigate failings of Competence
Provide Training before adopting new technologies. New ways of working such as cloud servers or application containers can offer significant savings of time and more efficient ways of working. However, they also pose different security and operational challenges and it takes time for your technical teams to master the new systems and ways of working. Training can help avoid basic errors such as failing to configure access controls to systems moved to the cloud.
Create Test environments where configuration changes and new software versions can be tested. You can gain confidence that proposed changes or new systems are correctly configured and secured by first creating a test environment that replicates the production systems. This provides a safe place for experimentation, testing and training.
Establish a Change Control process so that proposed changes are reviewed and tested before they are implemented. Peer reviewing changes improves quality by helping to spot errors before they can affect the production systems. By clearly documenting the reason for each change, and the step by step instructions on how to implement it (and reverse it out if needed) you can ensure that each change is thought through and achieves the desired results.
Internal and External Vulnerability Scans can help identify new servers and databases that have been inadvertently published to the public internet or incorrectly secured.
Use established best practices when adopting new products or technologies. Take advantage of the experience gained by others who have been using the technology for longer than you. Make use of security baselines (Microsoft has a comprehensive set for their own server technologies ) as a starting point for developing your model configurations and configuration guidelines.
How to mitigate failings of Convenience
Failings of convenience happen when staff make unwise choices while attempting to get their job done. A typical example might be an employee taking an extract of a customer database in order to work on it over the weekend. The employee is well intentioned however they extract more data than they need (because they don’t know how to filter the export) and the data is not encrypted or otherwise protected. The extracted file is placed on their personal DropBox account so they can easily get to it from their home PC. A month later their home PC is upgraded. The old computer hard drive (complete with copy of the customer database in the DropBox synch folder) enters the second hand market and ends up in the hands of a would-be identity thief who is able to leverage the customer data to create convincing phishing emails and apply for credit in the name of several customers.
Security Awareness training is key to creating a culture within your organisation where security is ‘business as usual’ rather than an afterthought. Aim for an environment where non-technical staff think the same way about data stored electronically as they do about cash in the petty cash box. (they want to keep it secure and protected from theft). When picking a Security Awareness course, consider more than the need to gain a compliance check, look for a course that will affect the thinking and behaviour of your staff so that awareness really is raised and security improved. The job of the Security Manager is more than to simply inform staff of the security policy, they also need to provide the training and tools so that it is easy and convenient for staff to comply with the policy.
Provide secure extract and transport tools so staff can access the data they need (and only the data they need) and transport it securely. If sensitive data needs to be shared with a third party, ensure clear processes are in place and tools provided to ensure the security of data while it is in transit and at rest at its final destination.
Keep sensitive data inside the network. If staff need access to sensitive data when away from the office, consider if it is better to keep the data within your secure network and provide staff with a means to connect into the network to access the data remotely.
Provide tools to help staff work securely. It is a good thing to tell all staff to use strong passwords, but it is better to make it easy for them to do so by providing a Password Manager as part of the standard software suite given to all users. By talking to users from across the business, the Security Manager can understand the challenges and frustrations they face and so can provide the tools they need. It should be easier for people to do their job while complying with the Information Security policy than not.
Avoid the development of Shadow IT systems which are outside of the protection of the IT teams. Whether it’s an Excel file full of customer details or an MS Access Database used for planning shift rotas – when information vital to the organisations operation lives only on the desktop of Bob’s computer it is a risk. Our recent article on Shadow IT will provide plenty of ideas and advice.
How to mitigate failings of Crime
The risk of cyber-crime does not come only from external actors. For many organisations, the staff pose a significant risk. In a recent survey, over half of employees surveyed admitted to taking data when they leave an employer to use in their new job.
There are two main risks that employees can pose: the theft of data and the theft of intellectual property. And for each of these there are two main motivations – to sell it or to use it in their new role when they change employers.
Data stolen by external actors
Data that is stolen to sell is like any stolen property. It needs to be easy to sell on and hard to trace. Data such as payment card details is clearly valuable to criminals who want to make use of it. At the time of writing the price paid for stolen card details on the dark web is as much as $20 and with a full set of personal information (to enable identity theft or financial fraud) is $45
Data that is valuable to criminals and so is likely to be stolen is known as sensitive data. Failure to secure sensitive data can now result in significant fines in the event of a theft. In the case of a personal data covered by GDPR the fine is up to 4% of global turnover – which can be millions of pounds.
Sensitive data needs to secured while it is at rest (sitting in a database), in transit (moving between computer systems) and in use (while being processed by software). Strong encryption is ideal as this means that even if a copy of the data is stolen, it is of little use without the ability to decrypt it.
In the same way, Intellectual Property secrets – from source code to blue-prints – can be protected at rest, in transit and in use. Industrial espionage is a modern-day reality in many industries. In order to save time and money, according to a Crowdstrike report, the Chinese government used cyber-espionage to steal details of components from established aerospace engineering firms in order to design their own elements for their new airliner.
38% of businesses surveyed admitted to a breach of intellectual property in the last 18 months.
Data stolen for use by the employee
Data that is stolen for personal use by the thief can be harder to prevent. For example, a sales person may take a copy of their customer list in order to try to poach them when they move to a new employer. The customer list is something the employee was permitted to access as part of their day job so some form of network monitoring is required to spot the customer list as it leaves the corporate network. Data Loss Prevention tools (DLP) can help solve this challenge. Typically DLP tools provide a means to first locate then categorise data where-ever it is held within your network and then monitor access and use of that data. Alerts can be generated when the data is used or transmitted in unexpected ways and some DLP tools can even block its egress from your network.
When an employee takes data when they leave a business – many employees would not see this as theft. While most people would say it was unacceptable for a departing employee to try to keep their company laptop, many would not have a problem with copying data off that laptop before its return. Culturally many organisations have not treated employee data theft as a problem when the data is brought into the business with a new employee. Often a copy of the competitors sales list is greeted with a nudge and a wink. However, business leaders should be aware that this sets a tone in the organisation that data theft is acceptable. As a result it becomes harder to get employees to treat the company’s own data correctly.
According to the 2019 Data Exposure report, over half of CxO surveyed admitted to bringing intellectual property or data from their previous employer to their current role.
Protecting an organisations intellectual property from theft by employees is as much an exercise to win hearts and minds as it is a technical problem. Until businesses stop welcoming their competitors IP in through the front door with new employees it will very difficult to stop their own IP walking out the back door with departing employees.
DLP tool can help to categorise and locate documents and other unstructured data which contains Intellectual Property. The files can also be digitally fingerprinted and watermarked so if they ever should fall into the wrong hands it will be possible to identify exactly which employee’s copy of the blueprints ended up in the competitors factory.
Information Security is a programme, not a project. The threats landscape is constantly evolving, and successful Security Managers continue to re-evaluate their policies, procedures and tools in order to best protect their networks.