SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Identifying security risk-takers to minimise and mitigate risk
Tue, 31st Jul 2018
FYI, this story is more than a year old

Humans are predictable and habitual.

We have set ways of doing things, and our activities and behaviours rarely veer significantly.

However, when it comes to business, people in certain roles are more predictable than others. These people can be categorised in two ways: tech-savvy and non-tech savvy.

Those who are tech-savvy are often confident rule breakers and risk-takers.

Typically, they know how technology works and are in roles such as systems administrators, network administrators, security and technology analysts.

Non-tech savvy people in a business have roles that lend themselves to being accidental or inadvertent risk-takers.

They are often required to spend a significant amount of time online as part of their roles, researching and clicking on links, which unbeknownst to them can be harmful.

These individuals have roles as researchers, analysts, and investigators in business functions including advertising, marketing, and social media.

While the deliberate rule breakers tend to be easier to spot, they only represent a fraction of the staff at most companies.

It doesn't necessarily mean that the majority of a company's workforce is deliberately being bad actors.

These damaging actions may be as simple as accidentally opening a scam email and forwarding it on to a senior colleague.

If these types of actions will change a business' risk profile, it's important to quickly identify the employees responsible and understand whether further action needs to be taken.

This strategy is a change to how businesses have fundamentally approached security. Historically, business leaders have been trained to think that buying the latest technology is how security issues can be solved.

Only in the last couple of years have companies started to realise that throwing more technology at a problem doesn't solve anything - it just causes more administrative overhead and costs without reducing risk.

It's also no longer adequate for businesses to rely on ticking the boxes of a compliance audit. These do not often eliminate any business risk, and often fail to even properly identify it.

In today's business landscape where security threat levels are at an all-time high, it's just not good enough.

Sharing is caring

It's challenging for organisations to quantify their risk level when they cannot spot who those ‘accidental' risk-takers are, often because those people don't realise they're doing it.

As a result, organisations are left with the inability to understand the impact and scale of risk in their business.

This is why much more open discussions about security incidents need to happen.

When an incident occurs, the common reaction people have is they pretend nothing has happened in fear of embarrassment or recriminations and perception of possible job loss. Open discussions can remove that stigma.

Shared knowledge is shared awareness and education.

Organisations need to learn the behaviours of bad actors to ensure others can avoid enduring the same.

Attackers would also be less effective if everyone knew what they needed to look out for.  Businesses can encourage their user base to report incidents through incentives.

One example trialled in a large enterprise was rewarding users with gift cards each time they reported an incident (received during a phishing exercise).

Part of the solution, particularly to enhance the awareness of accidental risk-takers, can also include expanding incident exercises, such as white hat hacking, that are usually used to train technology teams as well as users organisation-wide.

Building trust through transparency

Every user has a unique, nuanced behavioural fingerprint.

Organisations need to take advantage of that by monitoring how each individual interacts with their computer.

This way it's possible to analyse and detect when a user is not behaving like they normally do.

Once companies have complete visibility of their users and their behaviour, they can securely monitor their activity both inside and outside of the network by analysing users' behaviour profiles, without collecting private or sensitive data.

This approach will retain employee trust and enable businesses to have a greater awareness of staff usage patterns, while also reducing the company's overall risk.

More broadly, organisations need to have a much harder think about how risk can be strategically and practically used inside their business as a way to drive decision making, and ultimately help eliminate any potential security threats.

Given the current threat landscape, companies can no longer just throw technology at security problems.

They need to take a proactive approach through education, greater transparency and monitoring, to minimise any risks caused by the actions of both risk-takers and ‘accidental' risk-takers.