In the rush to build and grow a business, it can be hard enough to ensure that data and systems are secure. External attackers, insider threats, there’s never a dull moment for Chief Information Security Officers. The right balance between employee productivity and cybersecurity must also be respected. When security is too rigid, people can’t do their jobs. On the other hand, when employees are given carte blanche to download or access any information they take a fancy to, data breaches are not far behind. Protecting employees from cyberattacks is essential, and so too is protecting them from risky situations they can unknowingly create.
Human nature plays a huge part in cybersecurity. While there are malicious insiders in certain companies, there are also many well-meaning, but naïve or inattentive employees who can put data and IT systems at risk. In today’s digital age, it’s tempting to think that computers run everything, including security. However, as attackers well know, the fastest, easiest route to confidential data and applications is often via an unsuspecting human being. Social engineering, for example phishing emails, is a thriving activity for hackers and cybercriminals.
So, what is a conscientious CISO to do? Cybersecurity is mandatory, not optional. There’s too much at stake and too many regulations and fines for non-compliance. But while you’re not trying to win a popularity contest, it may not make sense to antagonize staff by threatening them with dire consequences for poor security. Finger pointing (“it wasn’t me, it was you!”) between employees when security incidents arise is counter-productive too. Not every accusation is justified, nor every seeming accident or mistake, well, just that. But sometimes it can seem that way, especially when risky behavior or foul play is involved. With a robust security program (and systems!) in place, you’ll not only protect employees from false accusations, but you’ll also be able to implement, update, revise and re-affirm the security policies that your organization and your employees need to keep your valuable information safe.
The bottom line? You need an effective way of protecting employees, a way that is understood and accepted, and that also protects employees from themselves – individually and collectively. It’s time for a little psychology. People learn better when theory and practice coincide. They are more likely to improve their security hygiene when they see more directly the links between what they do and the risks or effects of their actions.
Let’s take a basic security example. Somebody on the marketing team, keen to launch a new product faster, starts accessing a website or an application in the cloud that IT has not vetted for security. In many cases a company credit card and an online payment is enough to get access to such shadow IT resources. The marketer – in all innocence – may start to upload company or customer data to the cloud app for new market insights or a way of forecasting demand. Unfortunately, not all cloud apps have the data or security of their users at heart. Less scrupulous ones may even sell the data on to others.
Ideally, your company has a policy on shadow IT that forestalls the risks associated with it and that is adhered to by all. But while prevention is better than cure, not everybody reads or remembers company policies! What should the cure then be? Waiting till the credit card statement comes in or the shadow IT line item debit is noticed takes too long. So too does manually ploughing through system and network logs, trying to spot possible problems. A week down the line, the person using the shadow IT may have forgotten all about it. Without jumping down an employee’s throat (so to speak), you want to tackle this use of shadow IT as soon as it starts.
Here is where suitable use of technology can help meet a very human need. A system using behavior analytics can pick out anomalous activity from the mass of daily IT operations and interactions. That includes access to unusual network addresses or URLs, as in our example about shadow IT. Behavior analytics is, as its name suggests, the analysis of what users and systems are doing, compared to a baseline of normal activity.
A UEBA (User and Entity Behavior Analytics) application first gathers information about activity in devices, systems, and network connections in your company’s IT infrastructure. Just a few hours may be enough for the UEBA system to establish an accurate picture of usual behaviors. As other interactions occur, the UEBA system analyses them as well, automatically updating in real time its model of normal activity. In parallel, it compares individual events to test if they are normal or unusual. Such events include access to systems, connections to the network, and information flows.
The UEBA system also looks at the detail such as the time of the event, the identity and location of the user or system involved, the amount of data flowing, and the originating and end points of the data flows. In our shadow IT example, the access to a new URL could already be considered unusual. Large amounts of data being uploaded would be even more unusual. The UEBA system would then alert the IT administrators or security team to investigate further.
While some activity may be suspicious or downright malicious, let’s consider our shadow IT example as innocent but unfortunately risky behaviour. When you get a notification in real time about what is happening and who is making it happen, you also get a golden teaching opportunity! Now, we’re back in the domain of psychology and motivation. A short, friendly ‘instructional moment’ may be the right solution. If the problem is happening repeatedly, more structured training may be needed about information security, its importance, and the key do’s and don’ts.
The same principles of cybersecurity and protecting employees from attackers and from themselves can be used in many other situations, especially those where employees simply aren’t aware of the risks they create. Accessing files they didn’t know they should not access or continuing to use an illicit or compromised system account are examples.
Besides signalling needs or opportunities for educating employees, real-time alerts of risky behavior can also be the triggers for security teams to act. They can update system privileges, shut down old accounts, and do other important security housekeeping. Constructive, adaptive protection of employees as well as data keeps productivity up and security risk down. And instead of slowing it down, efficient, effective cybersecurity helps a business to do even better.
Using the insights behavior analytics provides into movement around your data flow, you get to plug existing security gaps, tweak existing security policies and so build a security culture built on real insights and knowledge. The result? You’ll be empowering your employees to work smarter by encouraging great security practices and by helping them ditch the bad habits that put your organization at risk. Even better, you’ll be instilling confidence in your customers who will be reassured that you’re protecting their sensitive information from every angle. Positive security. There’s no other kind.