sb-nz logo
Story image

Identifying security risk-takers to minimise and mitigate risk

31 Jul 2018

Article by Jeff Paine, CEO of ResponSight

Humans are predictable and habitual.

We have set ways of doing things, and our activities and behaviours rarely veer significantly.

However, when it comes to business, people in certain roles are more predictable than others. These people can be categorised in two ways: tech-savvy and non-tech savvy.

Those who are tech-savvy are often confident rule breakers and risk-takers.

Typically, they know how technology works and are in roles such as systems administrators, network administrators, security and technology analysts.

Non-tech savvy people in a business have roles that lend themselves to being accidental or inadvertent risk-takers.

They are often required to spend a significant amount of time online as part of their roles, researching and clicking on links, which unbeknownst to them can be harmful.

These individuals have roles as researchers, analysts, and investigators in business functions including advertising, marketing, and social media.

While the deliberate rule breakers tend to be easier to spot, they only represent a fraction of the staff at most companies.

It doesn’t necessarily mean that the majority of a company’s workforce is deliberately being bad actors.

These damaging actions may be as simple as accidentally opening a scam email and forwarding it on to a senior colleague.

If these types of actions will change a business’ risk profile, it’s important to quickly identify the employees responsible and understand whether further action needs to be taken.

This strategy is a change to how businesses have fundamentally approached security. Historically, business leaders have been trained to think that buying the latest technology is how security issues can be solved.

Only in the last couple of years have companies started to realise that throwing more technology at a problem doesn’t solve anything - it just causes more administrative overhead and costs without reducing risk.

It’s also no longer adequate for businesses to rely on ticking the boxes of a compliance audit. These do not often eliminate any business risk, and often fail to even properly identify it.

In today’s business landscape where security threat levels are at an all-time high, it’s just not good enough.

Sharing is caring

It’s challenging for organisations to quantify their risk level when they cannot spot who those ‘accidental’ risk-takers are, often because those people don’t realise they’re doing it.

As a result, organisations are left with the inability to understand the impact and scale of risk in their business.

This is why much more open discussions about security incidents need to happen.

When an incident occurs, the common reaction people have is they pretend nothing has happened in fear of embarrassment or recriminations and perception of possible job loss. Open discussions can remove that stigma.

Shared knowledge is shared awareness and education.

Organisations need to learn the behaviours of bad actors to ensure others can avoid enduring the same.

Attackers would also be less effective if everyone knew what they needed to look out for.  Businesses can encourage their user base to report incidents through incentives.

One example trialled in a large enterprise was rewarding users with gift cards each time they reported an incident (received during a phishing exercise).

Part of the solution, particularly to enhance the awareness of accidental risk-takers, can also include expanding incident exercises, such as white hat hacking, that are usually used to train technology teams as well as users organisation-wide.

Building trust through transparency

Every user has a unique, nuanced behavioural fingerprint.

Organisations need to take advantage of that by monitoring how each individual interacts with their computer.

This way it’s possible to analyse and detect when a user is not behaving like they normally do.

Once companies have complete visibility of their users and their behaviour, they can securely monitor their activity both inside and outside of the network by analysing users’ behaviour profiles, without collecting private or sensitive data.

This approach will retain employee trust and enable businesses to have a greater awareness of staff usage patterns, while also reducing the company’s overall risk.

More broadly, organisations need to have a much harder think about how risk can be strategically and practically used inside their business as a way to drive decision making, and ultimately help eliminate any potential security threats.

Given the current threat landscape, companies can no longer just throw technology at security problems.

They need to take a proactive approach through education, greater transparency and monitoring, to minimise any risks caused by the actions of both risk-takers and ‘accidental’ risk-takers.

Story image
McAfee finds vulnerabilities in 'temi' the videoconferencing robot
Temi is commonly used in environments including businesses, healthcare, retail, hospitality, and other environments including the home.More
Link image
Webinar: Best practices for keeping your video chats secure
Video collaboration providers nowadays operate exclusively on a multi-tenant, public cloud - and security and privacy concerns have come into the spotlight. Here's how to secure your communications.More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More
Story image
Microsoft brings endpoint & Azure security under Microsoft Defender
Microsoft Defender brings Microsoft 365 Defender and Azure Defender under the same umbrella.More
Story image
Trend Micro tackles identity theft with new security suite
"The consequences of this malicious activity can have a significant impact on the lives of the victims for years to come."More
Story image
NortonLifeLock introduces dark web monitoring to its security suite
Dark Web Monitoring Powered by LifeLock will be capable of monitoring the dark web, searching for over 120 personal identifiable information including email, physical address, phone number, driver licence number, credit card or bank account numbers and gamer tags.More