Elsevier

Network Security

Volume 2016, Issue 9, September 2016, Pages 9-12
Network Security

Feature
Risk-based security: staff can play the defining role in securing assets

https://doi.org/10.1016/S1353-4858(16)30087-3Get rights and content

Last year, US firm Ubiquiti's finance team made an urgent multi-million pound money transfer for a senior executive, only to find later that the request had been made by criminals posing as him.1 In the UK, the exposure of customer financial details held by telecomms provider TalkTalk, seemingly caused by young hackers, has led to an exit of disgruntled customers.2

Enterprises are having to put mitigating security risks at the heart of their thinking, to gain better insight into potential threats and develop a genuine and lasting culture of information security.

To make this breakthrough, they will have to enlist and motivate their staff to not only follow the rules but also sound the alarm over suspicious activity. Employees are becoming the first line of defence in the new security-oriented organisation. And this change in mindset begins with new thinking on the nature of risk and potential losses from it, argues Marc Sollars of Teneo.

Section snippets

New demands

At the same time, the security industry is inevitably being asked to come up with practical measures to help a myriad organisations to secure their data. It's also being asked by companies how they can cut through all the noise and rethink the task of educating their workforce about more effective security procedures. So how can we bring best security practice by employees to the heart of everything we do in our workplace, whether it's the corporate HQ or the remotest of branch offices?

This

The rise of social engineering

Because of cloud computing's attractive instant apps, interconnected business systems, social media and increasing number of endpoints with the mobilisation of work and Bring Your Own Device (BYOD) policies, a fast-emerging trend is criminals using social engineering – employees and people being tricked into actions which is rapidly replacing automated exploits as attackers’ favoured way into company networks and stealing crucial data assets. And cloud's mobile applications, sharing tools and

Time for a new approach

With every organisation potentially under attack, enterprises are having to put mitigating security risks at the heart of their thinking, gain better insight into potential threats and develop a genuine and lasting culture of information security.

To make this breakthrough, organisations will have to enlist and motivate their staff to not only follow the rules but also sound the alarm over suspicious activity. Instead of accepting the old caricature of staff being the ‘weakest link’ in

Doing the maths

Let's do the maths on risk scenarios. The organisation might be 99% likely to suffer one type of breach against being only 1% likely to suffer another type of attack. It can't afford to protect against both so which is to be the board's priority? But what if the organisation then considers that if the 99% risk happens, the potential financial cost to the business will be in the realm of £100,000 whereas the 1% risk will probably cost the organisation upwards of £1m? Which of the threats does

Cracks in the organisation

That clear-sighted approach sees high-level risk management planning under way but what are the practicalities of such a plan? The organisation itself will need the best available information on what threats are out there as well as a culture of valuing business-critical or consumers’ personal information and protecting it, which is owned and supported by all members of staff. This can be designed and delivered through the following elements:

  • A strong management commitment to information

Who stores what and where?

In the age of cloud storage and collaboration apps, many organisations’ data storage policies have lost their way. Overworked IT teams, turning a blind eye to quick-to-use storage tools and memory sticks, do not know where all of their corporate data is stored and lack a policy to enforce controls or avoid falling foul of future EU and international regulations requiring privacy and data sovereignty.

Organisations need to move away from allowing employees to use shadow IT tools or ad hoc

Control of endpoints

To bring the explosion in mobile endpoint devices under control, organisations also need security technology that enables policy standardisation across all endpoints – from fixed workstations to mobile – regardless of user location. Even if the mobilisation of work is unstoppable, companies still need to look beyond traditional security settings to work out enforceable rules without constraining their staff's freedom to act.

Laying down the rules

But the biggest challenge underpinning all these advances is ensuring that a positive security culture takes root and all the workforce's efforts are harnessed for assured handling of crucial information. As we know, it's one thing recognising that your own people can cause security breaches but it's quite another engineering a culture across the organisation to avoid such incidents happening in the first place.

The bottom line for any organisation is to develop a company-wide culture of valuing

Don't forget the basics

A lot of risks associated with staff, external contractors and suppliers can be addressed simply on their first day of employment. The company's onboarding process should be adjusted to include any mini security process induction to any joining employee that combines physical and virtual system security, to avoid situations such as the 2013 breach of a US retailer Target, where the release of customer details was linked to compromised security systems at a supplier.4

Whatever the reach and

Making security sexy?

Looking forward, one of the most heartening aspects of embedding a security culture in organisations is industry innovations that make security rules and applications simpler, even enjoyable to use. In the past 18 months, software vendors have successfully recast two-factor network authentication with clunky security tokens, as a ‘single tap’ two-factor authentication on mobile devices and tablets. This easy set-up makes logging in less onerous for employees but also enables staff to report

Staff in the front line

It's true that more and more businesses are taking a more intelligent, risk-managed approach to information security, changing the goalposts of best practice and turning employees into the first line of defence rather than regarding them as the weakest link. The majority of corporate security breaches could be avoided if people were properly engaged in a dynamic and inclusive way of thinking about critical business information assets.

About the author

Marc Sollars (@MarcatTeneo) is CTO of Teneo, a specialist integrator of next-generation technology, offering optimisation solutions for networks, security, storage and applications. Sollars is chief evangelist and plays a key role in identifying technologies that are early to market and can be integrated into the company's services portfolio.

References (4)

  • M Murphy

    ‘CFO-Less Ubiquiti Tricked Into Wiring Hackers Large Sums’

    Wall Street Journal

    (7 Aug 2015)
  • P Sandle

    ‘TalkTalk lost more than 100,000 customers after cyber-attack’

    Reuters

    (2 Feb 2016)
There are more references available in the full text version of this article.

Cited by (0)

About the author

Marc Sollars (@MarcatTeneo) is CTO of Teneo, a specialist integrator of next-generation technology, offering optimisation solutions for networks, security, storage and applications. Sollars is chief evangelist and plays a key role in identifying technologies that are early to market and can be integrated into the company's services portfolio.

View full text