Your employees provide some of the most useful access points into your business for cybercriminals. Knowing who is most likely to be targeted, and it may not be the most obvious people, will help the organisation put the right security measures in place.
By Simeon Tassev, MD and QSA at Galix
However, as new technologies are adopted, new chinks are appearing in enterprise ‘armour’- this calls for vigilance.
Secure the person, the role and the environment
Which employees are making your business vulnerable to cybersecurity losses? General users are usually least educated about risks, so the organisation should limit their access to only what they most absolutely need to access to do their daily jobs. Power users, like information technology staff and privileged users, like HR and marketing staff, are easier and very attractive targets.
HR and marketing employees have access to sensitive and privileged information but generally don’t have the technology background or awareness needed to protect the data. Two-factor authentication is important as a minimum measure in these instances. However, power users, who generally do have a strong technology background, also become targets.
Power users can be overconfident and sometimes just plain lazy. With deep knowledge of business systems, they are happy to take some risks or build in some shortcuts and backdoors that allow them to access systems without going through all the security protocols.
Unfortunately, this is exactly what cybercriminals look for. To prevent this, secure coding practices have to be enforced and become part of the organisation’s culture, with high levels of security, like biometrics, required to gain access to secure areas or data within the organisation.
Good security is security that is relevant to the person, the situation or role, and the environment.
Key steps to take include looking for the most common factors to guard against. Measure the maturity of the organisation and its component parts and apply the necessary safeguards.
To start, put together a sound security strategy, align it with security standards and implement those standards. A good place to look to ensure the most relevant standards are implemented is the CIS Critical Security Controls.
These are a recommended set of actions for cyber-defence that are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. The controls take best-in-class threat data and transform it into actionable guidance to improve individual and collective security in cyberspace.
However, it is also important to ensure the independence of the organisation’s security advisor, whether that is someone in-house or and outsourced provider. If the person is an internal appointment, it cannot be someone who is also involved in business operations. An independent person is needed to assess controls and provide guidance.
New security matrix: the role, device, system
For example, as new technologies like cloud or artificial intelligence are adopted, the organisation will need to entirely reassess all its security.
Security is about understanding and managing risk. The conversation needs to start on a higher level to understand what is relevant. Adopting cloud or AI technologies is a strategic decision. They will bring efficiencies and new competencies to the business. However, the organisation needs to understand what adopting these technologies will mean to the security of the business.
These technologies radically alter operations and as security is implemented around the operations model of the company, the entire security aspect needs to be relooked and redesigned.
These new technologies shift risk, creating an entirely different scenario – one that requires a new security matrix based on role, device and risk per system, with a whole lot more caution needed in terms of who is granted access and at what level.
For organisations today, security is a number one priority. A good security policy needs best practices, but it also requires a solid dose of common sense and cyber ‘street smarts’ for it to remain relevant. Ensure your organisation has the right independent insight to keep your data, assets and customers’ privacy secure.