What are the main threats currently jeopardising organisations?
We have identified that more than 6 in 10 security threats are perceived to be internal. These threats can be accidental as well as malicious that can come from across the extended enterprise – employees, ex-employees and trusted partners.
Why is this becoming an issue now?
Some 84 per cent of organisations suffered a data security incident in the last year. The increased uptake of 'bring your own device' (BYOD), cloud-based tools and the reliance on the extended enterprise to share information across global and diverse networks and with third parties are all building towards perfect security storm conditions ahead
What are businesses doing about the growing trend of bring your own device (BYOD) policies in the workplace?
A key factor to the security storm is BYOD, which is proving to be an unstoppable force, driven by employees' desires to use familiar equipment that will help them do their job better. The survey found that the top three BYOD threats are employee use of USB or storage devices to save company data, inadvertent human error (e.g. sending an email to the wrong recipient) and employees sending work-related emails via personal email accounts or devices.
The appropriate use of BYOD within an organisation must be addressed in order to minimise further security incidents; however, only 31 per cent of organisations are accepting or proactively managing BYOD – the rest are resisting and blocking access where possible (52 per cent) or denying it altogether (11 per cent). This is despite the belief by half (53 per cent) of the respondents that users will continue to use their own devices on the network, whether it is sanctioned by IT or not
What can companies do about internal threats?
Take it seriously. Appreciate that just because you are a small organisation, never presume that somewhere on the other side of the world someone isn't interested in breaking into your business over the internet and stealing what data you have, to monetise that elsewhere in the world. They are and they will.There is no silver bullet. Start with employee awareness; there are lots of stories in the media that you can pick out and ask, what would we do if that happened? How would we prevent that? People are often seen as the weakest link in security, but they are key to building up the defences and reducing the risks.
Luckily, Guy was able to give us some common-sense advice on what you can do to secure your business.
Step 1: Put a plan in place
It is vital to have a comprehensive security plan in place to cover off issues such as BYOD and social media. This should be backed up with a visible and tangible security policy to ensure the enemy within is not afforded the opportunity to incur any damage. A robust policy could include:Step 1: Evaluate who and why you are communicating with and by what means
It will be a good first step to understand who your teams are talking to – suppliers, partners, the public – and why. And then work out how they are communicating with them. If you are adopting a 'Bring Your Own Device' policy, appropriate use of these devices must be allowed for an organisation's IT security and polices should be set to cover all eventualities. There must be a plan for what happens to the data on these devices when the employee leaves the organisation. 50 per cent of public sector organisations are concerned that social media channels could pose significant risks to their IT security.
Step 2: How far reaching is your security policy?
Has it been updated to include all social media platforms, employees' own devices and third parties? What happens if an email is sent in error or a disgruntled employee tweets from the corporate account? What procedures are in place to deal with this? And are you password secure – how often do you change the ones for corporate social accounts or for the website?
How visible is your security policy to your employees – how often are they updated on it – we would recommend that this is done at least twice a year. Consider how quickly things change in the technology world, an untrained employee is a security risk for the whole organization. What is acceptable to an individual may not be acceptable to the organization, understanding that there is a difference between the two, especially when it comes to social media, is extremely important.
Step 3: What are the consequences of getting it wrong?
From our research we know that if things go wrong on the IT security front then the consequences are far reaching – a third of organisations cited reputational damage to the organisation, followed by 20 per cent worried about the financial consequences and 18 per cent wary of policy or compliance repercussions.
There needs to be a plan – how would you deal with an inappropriate email, or miscalculated tweet? If there are policies and a plan then hopefully you will never need to enforce them, on the other hand if there is a problem, then you are ready. Forewarned is forearmed.
With overwhelming figures driving towards a general lack of knowledge and education leading to a loss of information, it's essential that organisation not only embrace adaptive security, but educates its employees and nurtures a security-conscious culture in its policies – regarding both the network, endpoint and BYOD. The challenge is to stay ahead of the curve and regularly check policies and ensure the technology an organisation currently has can be used and updated to mitigate new threats. Much technology is actually underutilised.
For example, gateway technologies, which were bought for anti-virus / anti-spam, etc, may also be capable of DLP and encryption but as they were not bought for that purpose, it's likely that the organisation hasn't noticed that new and existing functionality can be implemented to solve new problems. With the risk of human error so great, the less security that relies on manual input, the more secure the policy. When the flow of information is protected by technology such as Adaptive Redaction, which provides consistent, automatic, policy-based removal of critical business information that is not supposed to be shared, businesses are assured that only the correct information is shared and both accidental and intentional loss is prevented.
Dr. Guy Bunker is an internationally renowned IT expert with over 20 years' experience in information security and IT management. Before joining Clearswift as its senior vice president of products in October 2012, Guy was a Global Security Architect for HP, and previously worked as chief scientist for Symantec and CTO of the Application and Service Management Division at Veritas.