Story image

Identifying security risk-takers to minimise and mitigate risk

31 Jul 2018

Article by Jeff Paine, CEO of ResponSight

Humans are predictable and habitual.

We have set ways of doing things, and our activities and behaviours rarely veer significantly.

However, when it comes to business, people in certain roles are more predictable than others. These people can be categorised in two ways: tech-savvy and non-tech savvy.

Those who are tech-savvy are often confident rule breakers and risk-takers.

Typically, they know how technology works and are in roles such as systems administrators, network administrators, security and technology analysts.

Non-tech savvy people in a business have roles that lend themselves to being accidental or inadvertent risk-takers.

They are often required to spend a significant amount of time online as part of their roles, researching and clicking on links, which unbeknownst to them can be harmful.

These individuals have roles as researchers, analysts, and investigators in business functions including advertising, marketing, and social media.

While the deliberate rule breakers tend to be easier to spot, they only represent a fraction of the staff at most companies.

It doesn’t necessarily mean that the majority of a company’s workforce is deliberately being bad actors.

These damaging actions may be as simple as accidentally opening a scam email and forwarding it on to a senior colleague.

If these types of actions will change a business’ risk profile, it’s important to quickly identify the employees responsible and understand whether further action needs to be taken.

This strategy is a change to how businesses have fundamentally approached security. Historically, business leaders have been trained to think that buying the latest technology is how security issues can be solved.

Only in the last couple of years have companies started to realise that throwing more technology at a problem doesn’t solve anything - it just causes more administrative overhead and costs without reducing risk.

It’s also no longer adequate for businesses to rely on ticking the boxes of a compliance audit. These do not often eliminate any business risk, and often fail to even properly identify it.

In today’s business landscape where security threat levels are at an all-time high, it’s just not good enough.

Sharing is caring

It’s challenging for organisations to quantify their risk level when they cannot spot who those ‘accidental’ risk-takers are, often because those people don’t realise they’re doing it.

As a result, organisations are left with the inability to understand the impact and scale of risk in their business.

This is why much more open discussions about security incidents need to happen.

When an incident occurs, the common reaction people have is they pretend nothing has happened in fear of embarrassment or recriminations and perception of possible job loss. Open discussions can remove that stigma.

Shared knowledge is shared awareness and education.

Organisations need to learn the behaviours of bad actors to ensure others can avoid enduring the same.

Attackers would also be less effective if everyone knew what they needed to look out for.  Businesses can encourage their user base to report incidents through incentives.

One example trialled in a large enterprise was rewarding users with gift cards each time they reported an incident (received during a phishing exercise).

Part of the solution, particularly to enhance the awareness of accidental risk-takers, can also include expanding incident exercises, such as white hat hacking, that are usually used to train technology teams as well as users organisation-wide.

Building trust through transparency

Every user has a unique, nuanced behavioural fingerprint.

Organisations need to take advantage of that by monitoring how each individual interacts with their computer.

This way it’s possible to analyse and detect when a user is not behaving like they normally do.

Once companies have complete visibility of their users and their behaviour, they can securely monitor their activity both inside and outside of the network by analysing users’ behaviour profiles, without collecting private or sensitive data.

This approach will retain employee trust and enable businesses to have a greater awareness of staff usage patterns, while also reducing the company’s overall risk.

More broadly, organisations need to have a much harder think about how risk can be strategically and practically used inside their business as a way to drive decision making, and ultimately help eliminate any potential security threats.

Given the current threat landscape, companies can no longer just throw technology at security problems.

They need to take a proactive approach through education, greater transparency and monitoring, to minimise any risks caused by the actions of both risk-takers and ‘accidental’ risk-takers.

Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.
ExtraHop’s new partner program for enterprise security
New accreditations and partner portal enable channel partners to fast-track their expertise and build their security businesses.
Hackers increasingly ‘island hopping’ – so what does it mean?
Carbon Black's Rick McElroy discusses this new trend and what it means for the new age of cybercrime.
Trust without visibility is blind – Avi Networks
Enterprises are wanting to gain the trust of their customers, but are often found blindly defending themselves.
How to avoid becoming a cryptojacking victim - Bitglass
Large-scale cryptojacking is a lucrative business due to the popularity and value of cryptocurrencies like Bitcoin and Ethereum.
Symantec, Ixia combine efforts to secure hybrid networks
Ixia’s CloudLens and Symantec Security Analytics now feature complete integration, which allows Symantec customers to gain real-time visibility into their hybrid cloud environments.