Follow Tweet This Facebook LinkedIn google+
Industry talking to customers What's this?

Insider threats: Establishing intent and people-centricity

Published: July 21st, 2017 By: Glenn Weir

Forcepoint

The “Bring Your Own Device” movement (BYOD) is now a given in the workplace. People have come to expect free access to company computing resources. While employers’ desire to introduce tighter security controls and policies is understandable, tech solutions are no cure-all. After all, even if you give people a new set of security policies to adhere to, and overall expectations may be higher than they were in the past, people’s core habits and attendant behaviours are not going to change overnight.

It’s a myth that companies that employ a lot of tech in their security environments are airtight. An excess of security, which can have the effect of forcing people to behave a certain way, may in fact leave a company less secure. At the same time, having a staff that is not allowed to use one kind of device or another, or outlawing specific behaviours, can also have a bad effect. The best, most effective security appears to be those that begin and end with the people that need to be protected.

Putting the pieces in place

“Ultimately, companies must acknowledge that technology doesn’t run technology — humans do,” said Michael Crouse, Senior Director Business Solutions, Advanced Data & Insider Threat Security Business, Forecepoint. “Although the digital warriors are coming, it doesn’t need to be a tsunami. Understanding employee security practices will help companies adjust security protocols and practices to not just accommodate a changing workforce but to take advantage of the skills they bring and the technologies they use. This will revolutionize the workforce for the better.”

“Companies must build a complete security program that combines processes, procedures, and technologies in conjunction with robust auditing and logging, to ensure proper visibility into various employee and machine behaviours. Ideally, they’re also correlated within a dashboard that connects the dots, providing constant visibility into how users interact with data and systems.”

Crouse said it is all about determining employee intent and whether they are doing their jobs and being responsible when they are interacting with data, independent of where and when.

“Critical data is everywhere now — 24 per cent removable media in the enterprise; 25 per cent BYOD; 48 per cent private cloud; 20 per cent public cloud. The notion of walls around data is not a realistic approach to security. People, specifically employees and contractors, remain the one and only constant from one phase of technological change to another, and companies must make a determined study of users’ intentions and cyber behaviours at scale so they can make the workplace truly safe and secure.”

Tips for establishing people-centric security

A truly people-centric system is comprised of many essential components, including:

  • Tone-setting: Establish cybersecurity tone and tenor with employees and contractors alike, and tie this to your company’s mission. Employees want to feel they’re making a difference.
  • Training: Provide training in which it is made clear that employees must meet you halfway. There is tremendous confusion among employees about what is and is not appropriate. Don’t ignore the world they live in, but show them how to intelligently use their digital tools and talents.
  • Real-world policies: There is still a need for written policies; but these policies should convey a fresh sense of relevancy and currency to today’s workforce. Old-style “thou shalt not” company directives will not resonate.
  • Organizational visibility: Implement a people-centric program that lends complete visibility of employees at work, but balance this with privacy.
  • Auditing and monitoring: To regularly enforce those policies, deploy end-to-end network monitoring systems that can fully report real-time situational awareness of users, devices and activities on the network. Count, measure and verify.
  • Communicated enforcement: Don’t sweep violations under the rug, but rather, summarize them as training points in the daily and weekly news snippets from the front office.
  • Employee-privacy advocacy: Agencies should appoint a cross-functional group that provides oversight and guidance to cybersecurity efforts.
  • “Guarding” the guards: Monitor system administrators and other privileged users for unusual behaviors.

“There are two reasons companies are not en masse shifting their focus from traditional insider threat paradigms: first, companies remain one step behind the tech flowing in from Silicon Valley. There is so much technological change right now that it may literally be beyond our control to restore the ‘old world order’ of the walled garden.”

“Second, many organizations are faced with the daunting task of managing the rise of the insider threat from the Boomers to the Millennials. The latter cohort is set to revolutionize the workplace. The shift in the workforce landscape represents cultural and behavioral changes that require companies to understand intimately these new digital warriors so as to add their security know-how to the overall mix.”

Crouse believes visibility is the key to establishing the context of a security event, allowing security teams to tell apart inadvertent and innocent behaviour from intentional and malicious activity.

“Whether we have a big data problem or a small data problem, it is time for us to ignore the noise coming from the network or from endpoints unless they are tied to something or somebody. We must reinforce our enterprise security with one simple objective: to gain deep visibility into user behaviour.”

Read more about “the human point” or visit itworldcanada.com for more Canadian IT News.

You can find out anything else you need to know about Forcepoint by visiting their website.