The security threat landscape is evolving at an alarming rate, with companies of all sizes being impacted. At the same time, security is all too often discussed primarily in the context of threats that come from the outside. True, cybercriminals and other outside threats certainly should be top of mind, but organizations today need to recognize that there are threats within their own four walls, too.
Yes, end users, whether well-meaning or malicious, may get some attention as a potential threat vector, but still not enough heed is given. And it doesn’t end there – though IT departments and the venerable professionals who staff them deserve much credit for not only fighting a tireless battle against myriad threats but also keeping business moving, they themselves can unwittingly become a security vulnerability as well.
What follows is an outline of the top ways end users can pose a threat to the security of their organizations’ infrastructures and how, if not careful, IT professionals can potentially become their own worst enemy as well, together with tips for how IT professionals can mitigate these internal and often overlooked threats.
End Users as Security Vulnerabilities
Unbeknownst to many end users, they can pose a major threat to the security of an organization by falling victim to even simple traps. Human error alone creates a whole school of cybercrime opportunities such as phishing, watering hole attacks and other social engineering tactics. These threats don’t necessarily rely on sophisticated malware or technical vulnerabilities, but rather the psychology and behavior of people. Even without a malicious actor involved, an uneducated or careless employee or an overcomplicated procedure can result in sensitive information leaking and potentially falling into the hands of an attacker.
For IT and enterprise security teams, it can be a (nearly impossible) challenge to manage the daily activities of end users to ensure they aren’t unwittingly sharing sensitive organizational information. The trick is to start somewhere. With that in mind, here are several suggestions:
- First and foremost is education.Educating end users on preventative steps they can simply implement on a daily basis to protect personal and company data is a good first step. This includes but isn’t limited to sound advice on password creation, acceptable use of non-company-managed technology (and why certain uses are unacceptable) and how to spot a social engineering attack. In all cases, practical demonstrations will typically work better.
- Educate, yes, but don’t go it alone.IT should partner with departments such as human resources and finance to help end users understand the impact breaches can have on the business. For example, having the finance department outline the potential costs of a data breach, which in turn impacts the company’s profitability and the end users’ own success, will help drive the message home for end users who may otherwise think they are immune to either the threat of cyberattack or the impact of a breach.
- Seek to reduce over-complexity and friction. IT professionals should again engage human resources and add executive leadership into the mix to talk about day-to-day processes in the business. Over-complex or convoluted routines are less likely to be adhered to, and the same goes for policies that cause friction with end users. For example, if a lot of end users leverage a public cloud file storage tool like Dropbox – creating a “shadow IT” scenario in the process – it might be better off adopting the platform as an official, and therefore centrally-managed, tool instead of trying to ban access.
- Get organized and leverage the tools available. It’s imperative that an overall security plan and policies prioritize the end user factor. The overall lifecycle of the end user, including changes that may occur without the use leaving the company, should be considered when devising such policies. For example, when an end user switches roles or departments, they may have access to information that is no longer necessary.
- Increase monitoring. An organization-wide security monitoring platform compliments anti-malware, data loss prevention and email security tools and allows IT to mitigate the human factor by picking up signs of abnormal and potentially dangerous behavior. It also gives IT a clearer picture of how end users are using applications, the network, systems, etc. That intelligence can then be used to inform how to best educate individuals and improve processes.
The IT Professional and the Increasing Complexities of Modern IT
While end users certainly pose a threat, something likely to be even more overlooked is how the IT department and IT professionals themselves maybe specifically targeted by attackers. As the unsung heroes of business, the IT department is tasked with managing the immense complexities that come with today’s modern IT infrastructure. From BYOD, cloud, virtualization and mobility to name just a few, there’s a great demand placed on IT to manage a host of new technologies with limited resources and budget. Further complicating their jobs is that with these new technologies and the increase of telecommuting, businesses truly no longer have four distinct walls – they’ve become porous, open and available anywhere, anytime.
With this great demand on modern IT professionals in mind, it’s easier to understand how, try as they may to avoid it, mistakes happen. The point is that the complexities of modern IT make the likelihood of simple mistakes by IT professionals made in the course of managing today’s infrastructures much higher, and those simple mistakes can have security ramifications. What can be done? Here are a few tips:
- Simplify IT management, including security management, to reduce the likelihood of mistakes. There’s really no way to get around the increasing complexity of today’s infrastructures; however, using the right tools – such as network, server, application and database monitoring; virtualization, cloud and configuration management; and remote support and help desk software – to simplify their day-to-day management can help prevent mistakes from happening by providing necessary performance information, enabling simple issue remediation and through automation. Tools such as patch management and security information and event management (SIEM) also help to simplify the process of managing the security of infrastructures specifically.
- Watch the watchers. To prevent the accidental mismanagement of potentially sensitive data, IT departments should monitor activity that takes place by administrator accounts differently than they watch end users, and regularly audit how administrator accounts are being used. Through the auditing process, businesses can ensure sensitive data remains in the right hands.
- Trust outsiders only enough. IT departments should be cautious in what access and privileges they give contractors and third-party IT service providers, being careful not to mistakenly place too much trust in them. It should be clear what their scope is; they should be monitored extensively; and, if possible, they should be given only limited remote access.
- Apply the principle of least privilege. Like for everyone else, IT professionals should also assign themselves low-credentialed accounts for day-to-day work, avoiding global administrator privileges except when absolutely necessary.
By following these best practices IT professionals can make a tremendous impact on the security of their organizations’ infrastructures. With the pace the threat landscape is evolving and growing, this is no longer a nice-to-have, but a necessity.