Skip to main content

Don't overlook the risk of 'people doing people things'

security
(Image credit: Shutterstock / Song_about_summer)

With the traditional security perimeter all but eroded due to remote working, the pressure on IT departments to keep data protected has never been higher. Company data is now distributed across so many locations and home networks, that enforcing consistent data security policies no matter where people are working has become almost impossible for some organizations.

Businesses can no longer rely on security systems designed for fixed office use, as they do not offer visibility or control for businesses to understand wider security risks. Instead, it’s time for a security model that continually evaluates and reacts to changes in risk.

Cybersecurity – an afterthought?

When the UK was plunged into the first lockdown back in March 2020, it’s fair to say that many businesses were unprepared. Quick work on the part of IT and security teams allowed business to keep going. But was data protection an afterthought for some?

The attack surfaces of organizations have grown exponentially over the past year. But can IT teams truly say that they know where their data is going?

One of the concerns with remote working is that home internet routers are easy to hack and as a result, network traffic can be exposed. Gartner predicts by the end of 2021, 27 percent of corporate data traffic will bypass perimeter security, and flow directly from mobile and portable devices to the cloud. This, together with the sheer volume of data that businesses hold, create and process, means organizations no longer have the eagle-eyed line of sight over it that they once did – leaving them at risk. Corporate VPNs can also create productivity bottlenecks, so IT departments need to ensure that this is accessible and available as needed.

However, one of the biggest risks for organizations is employees and how they behave when interacting with data.

Do organizations know what employees are really doing?

With most of the country working remotely, it is unsurprising that the stresses of working at home are opening businesses up to cybersecurity attacks due to human mistakes. As we say, “people do people things”, which essentially means that behaviors will be less than the ideal some IT teams would hope for. Whether it’s a workaround or a mistake, human errors can easily impact the whole business.

Due to an increase in email volume, phishing and spoofing schemes are blending in more and more. It only takes a click of a link, download of an attachment, or response to a seemingly genuine request to share sensitive details, for an organization to be vulnerable to an attack. The amount of potentially sensitive employee, business and customer data sitting on employee laptops and in cloud applications represents an almost “too-good-to-be-true” target for malicious hackers.

In addition, nearly ubiquitous internet broadband and widespread adoption of cloud-based productivity tools has made working remote far easier. But it hasn’t come without some risks. In fact, a recent IDG study revealed that securing data moving between on-premises and the cloud was the number two data protection challenge (35 percent) after guarding against malicious damage/hacking (36 percent). While employees may be celebrating workarounds, shortcuts and creative work strategies, IT departments are desperately trying to regain control.

If organizations are to make a permanent hybrid working future as secure as possible, they need to start working with humans instead of against them.

This should start with organizations ensuring that cybersecurity is as transparent to the users as possible. This should include the risk of Shadow IT and adopting explicit permission at all access points.

Furthermore, support in the form of coaching should be given to ensure that employees understand why they may be prevented from using tools that they would normally use on personal devices.

Adopting employee monitoring

One of the biggest way’s IT departments can protect data and the wider business is by adding behavior and user activity monitoring to their security portfolio. By creating user-centric policies – based on user variables like device, network and application – you can remove the difficulties faced when attempting to protect each data usage channel (PCs, smartphones, USB sticks, email etc.).

According to the Information Security Forum, insider threats cause more than 54 percent of breaches every year. When done for the right reasons – and not used as an excuse to snoop on productivity – monitoring data usage is the only way to make sense of an always-on, incredibly busy enterprise network, and figure out what’s worth paying attention to as opposed to everyday activity.

Understanding human behaviors and differences in an employee’s intent behind a suspicious activity is crucial – whether that’s accidental, compromised or malicious. User behavior and activity solutions can determine the context and intent of a particular user’s actions, for example downloading large quantities of data, or logging on from multiple remote locations in a short period of time. This protects those who have had their accounts compromised and can shed a light on accidental breaches.

These solutions should also be created in partnership with the broader business, including worker advocates, HR and legal departments. If the whole organization and each employee understands how and why these systems are in place, the company’s security posture is strengthened.

Safer remote working

With people and data now operating outside the traditional business boundaries, it’s critical to take the right steps to keep them protected without sacrificing productivity. This means accepting that people will do people things and working with employees to ensure they truly understand cybersecurity. In addition, adopting user activity and behavior monitoring can ensure one simple mistake doesn’t put the entire business at risk.

Dr Margaret Cunningham, Principal Research Scientist, Forcepoint