The biggest data security threat – Human Error Steve
The threat landscape has always been composed of both external (i.e. hackers) and internal threats (i.e. employees). Regardless of the security threat and whether or not the malicious intent is present, IT departments have always relied on technology to provide a wide range of solutions – from AVs to Firewalls, IPS, and many others. However, all solutions have one vulnerability in common: the human factor. “Human Error Steve” has got everything covered – from incorrect policy configurations as part of the IT department to sending e-mails to wrong recipients as part of any other department. So what options are there in the face of a threat present no matter what? Is this really such a big issue?
How big is the issue?
There is an abundance of statistics that provide insight into the size of the problem as well as some huge stories that made the news.
If you’re interested in figures, we recently did a survey that show that lost USBs are in the top 3 causes of data breaches, half of all employees have sent e-mails to the wrong recipient, and 4 out of 10 employees can tell you an incident with a colleague posting confidential information on social media or other places where it shouldn’t be (see full infographic here). But don’t just take our word for it. There are a few more interesting numbers from IBM’s “2015 Cyber Security Intelligence Index” that states over 95% of all security incidents involved human error.
If stories are more of your thing, then you probably already know the ones where laptops and smartphones were left in cars, train stations, restaurants or HR documents sent to wrong recipients. A quick internet search will reveal even more stories that span across all industries – from healthcare to manufacturing.
Ok, so human error is a big issue. What can we do about it?
As we’re a Data Loss Prevention vendor, we’ve been raising awareness and emphasizing that a solid security solution also needs to be complemented by the human component. Informing employees about the role they play, what they can and can’t do (and why) and how they can help improve the process and security is something every company should consider. So let’s take a look at some actual solutions, their benefits, and shortcomings.
It’s probably the first thing that comes to mind when a company wants to provide information that its employees’ need to assimilate. Being one of the classic ways of doing things, it’s relatively easy to organize and everybody is used to them and will know what to do. The downside, however, is that trainings are not the most appealing activities. Add to this the fact that “Security” is not really a hot topic, therefore, the results may leave something to be desired.
It is not necessarily a new concept (as it’s been around since the ’90s) but started to pick up again around 2010. It basically implies the application of typical elements of game playing to engage, teach and entertain. Although it was mainly used in marketing, it has applications in many other areas as it promises to make difficult things fun. With the possibility to turn “Security” into a hot topic for every employee this could be considered the best solution yet. But before we rush into anything, the major shortcoming is the fact that, if not organized properly and with clear objectives, it can just be a game that nobody even wants to play.
DLP & MDM
Let’s not forget that technology is still on our side. “Human Error Steve” is only human after all. He can’t be everywhere at the same time and, the bottom line is that “Malicious Intent Jack” is not really someone he knowingly associates with. Data Loss Prevention and Mobile Device Management can efficiently be used to secure data when Steve is ready to pull his trademark move. Basically, DLP & MDM solutions can be used to simply monitor employees’ actions without affecting their day to day activities or decrease productivity. They are the security solutions that will take action only when “Human Error Steve” wants to send confidential data outside the safety of the network. When it comes to “Malicious Intent Jack”, sports fans can be sure the DLP will stick to Jack like white on rice.
Ok, ok. So DLP & MDM sound like good options but how do they work? What if “Human Error Steve” somehow makes his way in the IT department and has to define security policies? Let’s take a look at some of the main features of such solutions:
- Monitor, Allow or Block
It’s not just about blocking users whatever they do. This will only make them fight the system and join the dark side – I heard they have cookies. Initially, start with monitoring, understand the users and block only the file transfers that should never take place.
This option help avoids redundant blocking. Not all users should be treated the same. “Malicious Intent Jack” should have a threshold of sending sensitive data outside the network set to 1. On the other hand, “Human Error Steve” should be given the benefit of the doubt and have it set to 3 (these are only examples, you will have a better idea of what each level should be set to after the monitoring phase).
- Offline Temporary Password
Sometimes we get in a situation where we have no internet access but need access to a USB stick (like an important presentation). Such a feature will help the user take care of business. It can be argued that Steve can take a front seat but logs will be sent to the DLP server when the computer reconnects to the internet so, let’s have a little faith in people and in the trainings and gamification we put effort into.
- Filters and Policies
It’s not just about a simple filter. There are several available – by predefined content, custom content, file type, applications, and regular expressions – just to name a few.
- BYOD Policies
There is no doubt that mobility makes people happy and more productive. At the same time, it’s also true that it opens up a lot of security vulnerabilities. MDM solutions and BYOD policies can help bring balance to the table. Security policies can be enforced on the devices and, at the same time, network settings and apps can also be remotely pushed to the device fleet. This helps both the IT department and the other employees’ productivity. It’s true that people may be reluctant to enroll their devices in the MDM solution but it’s not an impossible obstacle to overcome. After the trainings and gamification, we’re all friends now. We need to give in order to receive. If that doesn’t work, there is also the compliance rules and regulations to throw in the game.
- Multiple Admins
In case “Human Error Steve” stumbles into the IT department, all is not lost. With the option to create several Admins, the chances of Steve actually causing any issues drastically decrees. Moreover, “Super Admin Jane” can always watch everything from a distance and jump in if the situation calls for it.
Technology alone will not win the fight
No matter what security solution you implement, the human element will always be part of the equation. As nature taught us, there needs to be a balance between things in order for the system to function properly. Therefore, the solution to human error is a mix of technology and consideration for our fellow humans. There is no 100% solution when it comes to security, but we can all play our part in keeping the percentage as high as possible.