Humans are both organizational assets and operational security risks. The human desire to cooperate and overlook small details in favor of larger themes is a boon when it comes to corporate culture and cooperation, but a significant barrier to effective cybersecurity.
Recent data from the Ponemon Institute's 2020 Cost of Insider Threats Global Report spells it out: The risk of insider threats has tripled in the past three years, and each incident costs companies an average of $11.45 million to fully remediate.
Despite the rising costs of insider threats, however, organizations can’t ignore the growing need for technology adoption. From IoT and wearable devices to always-on mobile and cloud solutions, empowering staff to work anytime, anywhere, is now essential.
This creates a paradox: Tech-savvy employees drive sustainable corporate success but introduce massive information security risk. Let’s dig into the current challenges, common threats and critical tactics required to effectively human-proof an organization’s endpoint security.
DISCOVER: Learn more about tools organizations can use to solidify security.
The Top Actions That Lead To Insider Threats
In about 62 percent of cases, insider threats are negligent rather than malicious. But intent doesn’t alter results: Compromised networks put critical data at risk. Some of the top insider threat actions include:
- Oversharing: As noted by the Harvard Business Review, social media use in the workplace can improve employee engagement. But it also introduces an easy route to oversharing critical company data or access information.
- Using shadow IT: Staff use the apps that work for them, even when the IT department doesn’t approve or isn’t aware of them. Recent research found that companies typically have 15 to 22 times more applications running on their network than are greenlighted by IT.
- Ignoring the rules: Solid policies, such as not connecting to corporate networks over public Wi-Fi, reduce the risk of compromise but are often disregarded by staff; 63 percent say they’ve used public connections to access work email and files.
Policies, Programs and the People Problem
The shortest route to improved information security? Basic hygiene. This includes regular network scans, robust access controls and recurring employee education to help mitigate the impact of common threats. But achieving this kind of cybersecurity cleanliness is easier said than done; while companies typically rely on the one-two punch of policies and programs, they often fail to connect. Here’s why.
- Policies: These include controls for password creation, network connections and device compromise. Eric Kiser, IT Security Manager at the Virginia Cyber Range, says that his organization has implemented “very strict rules about how to connect remotely to our systems,” in addition to mandated password complexity rules and regular network monitoring to identify potential threats. While he notes that “this is probably basic to security professionals,” these policies form the critical foundation for effective cyberhygiene.
The problem? Despite existing controls and clear consequences, users often ignore good policy — especially if they’re in a hurry.
- Programs: Cybersecurity education can help bridge the gap between policies and prevention. Kiser points to regular phishing campaigns that include “initial training and regular training upon failure.” He points to the benefit of making security personal: “For example,” he says, “I have used Hashcat, Hydra and John to crack passwords to rogue unapproved apps that individuals have placed on the network. I then present the method I used (with fake login info) to crack the system. This method has proved effective in getting individuals to think about what they put on the network.”
The challenge? Although these programs are effective, they can only do so much; evolving threat vectors often outpace educational outcomes.
Ensuring Security by Design
While policies and programs underpin effective IT security, there’s also a growing need for endpoint technologies that deliver security by design. Consider the humble internet browser, used by staff for everything from checking email to finding contact information or sourcing key statistics.
Among businesses, this market is now dominated by Chrome; as noted by David Michael Smith of Gartner, “Most enterprises still have a ‘standard’ browser, and most of the time, that's something from Microsoft. These days it's IE11. But we've found that people actually use Chrome more than IE.”
As part of the larger Chrome Enterprise offering — which includes Chromebooks powered by the cloud-native Chrome OS — Google delivers in three key areas to help companies effectively address their people problems:
- Security by design: Chromebooks use a verified boot process to confirm OS security and leverage two OS versions to ensure functionality if one is compromised. The Chrome browser includes threat sandboxing, and Google Safe Browsing helps warn users about potential threats. In addition, Google recently cut the Chrome “patch gap” in half, from 33 days down to 15.
- Managed Android applications: Using the Chrome OS, administrators can control the deployment of Android applications on user Chromebooks. In addition to specifying allowed and disallowed apps, IT admins can also prevent the addition of a second Google account to user profiles, and synchronize all Google Chrome OS CA certificates to ensure app security is up to date.
- Existing threat protection: From safe browsing to read-only operating systems and permissions-based blacklisting, the Chrome OS and Chrome browser help mitigate the impact of potential phishing, ransomware and email compromise threats accidentally introduced by insiders.
- Insider threat defense: Chrome OS also includes policies that help reduce the risk of in-situ attacks by preventing screenshot capture while in secure network environments and disabling USB ports on locked Chromebooks.
The bottom line: Human-proofing starts with policies and programs that recognize the scope of potential compromise. Practical application at scale, however, demands endpoint technologies capable of minimizing insider threat impacts.
Brought to you by:
Tero Vesalainen/Getty Images