Rule number one for any security plan is always the same: secure the perimeter. That works with castles just as well as it does with business data. So you’ve got your firewalls, and encryption, and VPN access for a select few employees who really need it.
Nothing is foolproof, of course, but you feel pretty good about your chances against outside hackers. And for good reason too—your perimeter is secure. Just don’t forget there’s an office full of people who already have access to your network, and they don’t need to be computer savvy geniuses to do real damage.
Employees: Asset and Threat
This was a key finding in the 2016 State of the Endpoint Report, based on a survey conducted by the Ponemon Institute (which, yes, that does look and sound like Pokemon). 81% of respondents said their biggest security threat these days is their own careless employees, who don’t follow security policies. That number is almost identical to the one where respondents said their endpoints had been the target of malware attacks in the past year—80%. There’s a direct correlation to these numbers. And the 1% difference means there’s a small group of respondents who did not suffer a malware attack, but still think their employees aren’t so bright when it comes to security. That’s so IT.
Add to negligent employees the proliferation of mobile devices in the last 5 years. Laptops have been the standard for a long while, but now everyone has a smartphone. Both these devices have access to your network, and keeping them secure is the employee’s responsibility. That might be alright for your IT staff, but the HR department isn’t going to be as vigilant. It takes one time to connect to a public WiFi hotspot—the phone remembers and logs in automatically after that. Every time that phone goes somewhere it’s previously connected to, a door into your business’s data is opened.
Endpoint security software at the device level is the most reliable protection against this threat. But even that only goes so far; no software in the world is a match for your employee who leaves his laptop open and logged in while he uses the restroom at Starbucks. This underscores a larger point about enterprise network security that often goes unspoken.
Keeping your network and data secure is, more often than not, a human problem, not a technological one. Any solution to the problem, then, must address this fact. This isn’t said to discount the benefits of using technology to detect and respond to threats or suspicious activity. When malware is the problem, software is the answer. How that malware gets installed, though—that’s often where humans come in.
Earlier this year, Sailpoint published the results of their Market Pulse Survey. Some of the results were unsurprising, revealing that a third of the respondents shared their passwords with co-workers. No policy or enterprise network security app can prevent this from happening. The only way to combat this is to make password sharing impractical. Disabling concurrent logins is a nice band-aid, nothing more than a clever workaround. Monitoring the network activity associated with specific credentials, however, and then shutting the account out immediately if anything suspicious arises, forces a human intervention to resolve the situation. The user will have to come forward to get access back.
True Enterprise Network Security Comes From Within
Things get trickier when the problem isn’t just with careless mishaps. What about employees who willingly do harm to their employers?
The Market Pulse Survey also found that one in five employees would sell their passwords to outsiders. Of this group of people, nearly half said they’d do it for less than $1,000. That’s a pretty low number for something so inherently risky, and you have to wonder at the motivation. It could be desperation for money, or just plain old vindictiveness. In either case, the only preventive measure is to proactively check in with people and see how they’re doing. You may not see that anybody’s unhappy this way, but people also tend to be happier working where they feel valued.
And if you do happen to identify someone who seems disgruntled, be very careful with how you proceed. An unhappy employee can become a very angry ex-employee quickly. You can shut down that person’s account, but that’s not necessarily the end of that. In 2013, a man named Robert Steele got caught poaching some documents from the government contractor he used to work for, in order to help out his new employer. He used a secret account with Administrator privileges, which he probably made before he left for just such a purpose. When he first left his original employer, they shut his account down, but no one looked to see if there might have been any other way he could get in.
Unfortunately, this is the world we live in. Whether through carelessness or malicious intent, employees represent a security risk for the companies that hire them. Sure, a large majority of workers are good people doing their best; it would be wrong to view any company’s workforce through that single lens of “security threat.” At the same time, that doesn’t mean it’s the right idea to exclude them from scrutiny. You can protect your network against the worst and still expect the best from your employees.
Sometimes employees don’t even realize that their actions pose a security threat to the organization: take for example Shadow IT with which any employee could endanger your security without even realizing they’re doing something risky. That is why IT security must look into specific tactics to protect security information from Shadow IT and not rely on traditional perimeter security alone.