The PEBCAK scenario: securing systems against non-malicious employees

Ever use the expression PEBCAK? What about ID-Ten-T error?*

While many variations exist, they all mean the same thing: user error. Ignoring the negative sentiment implied, it’s effectively a shorthand to say, “not our fault.”

In the world of, say, technical support, perhaps this expression might be acceptable. Many tech support teams exist simply to ensure their widgets are functioning correctly. But when an IT representative uses such terms to refer to a user within the organization, shouldn’t it raise a red flag?

After all, the IT department is responsible for ensuring that online assets – be they account details, customer data, or strategic plans – are available to the right people at the right time. And this statement inherently means that IT is also responsible for ensuring that assets are unavailable to unauthorized people at ALL times.

This job would be so much easier if IT teams could trust their fellow employees. Putting aside the threat of employees with malicious intent (we’ll talk about this in a later post), we’d argue that an IT team shouldn’t trust employees, regardless of their trustworthiness, good intentions, or seniority.

The threat of the non-malicious employee

These people accidentally lose devices that are not password protected or encrypted. They receive phishing emails enticing them to click a link in order to spy, steal or disrupt operations. These employees receive phone calls from people claiming rights to sensitive information. And, if they are feeling particularly nice that day, these staffers might even hold open the door for a grateful malfeasant pretending to be an employee…

In short, non-malicious insiders are just people, and people simply make mistakes. With that in mind, is it surprising that non-malicious insiders rank as the number two threat (just behind cybercriminals), according to a report presented by RSA Conference and ISACA?

What’s the recommended protection strategy?

Your secret weapon here is a layered defense strategy.

Layering your protection can secure a business’s critical assets, even from non-malicious employees.

Now, we’re not just talking about security software to fend off today’s attacks. To best protect against the second biggest cyber threat for organisations, the layered defence strategy ought to include the following elements:

Education:

While we all know that education is important, it remains one of the most overlooked and least adopted security measures.

It is baffling that IT teams don’t buy into it more. Educated employees are much more likely to be wary of suspicious content, thereby significantly reducing your threat exposure. And, if you lack the resources to provide good training in house, outsource it to security experts.

We do not recommend a training session where you scare employees. You do not want anyone to shy away from responsibilities or wrongly assume you are exaggerating the threat. Instead, we’d advise that you find engaging ways to educate insiders on the most prevalent tricks used by malicious outsiders is the secret. In other words, apply the 80-20 rule.

You could find recent awe-inspiring examples from the press of how an employee was fooled, set up brain teaser scenarios for them consider, or run an in-office 10 rules of digital engagement campaign to drum in best security practices. All that matters is that the main messages you want to impart are not only understood but put into practice across the whole organisation.

Software:

Security software needs little explanation. We all know we need it. From intrusion detection software that reports unusual or suspicious behaviour, firewalls that authenticate or block traffic, all the way to encryption and anti-malware software, there is no shortage of security solutions available.

But that can be part of the problem. The key is to understand what you are trying to protect and getting experts to advise you on a cost-effective (and layered) security solution tailored to your needs. As always with security, it is a question of balance between availability, integrity and confidentiality, as well as budgets.

Policies:

Your policy strategy is the engine that, if properly implemented and maintained, means that your IT teams can focus on business enabling solutions rather than running around fire-fighting.

Without policies, guidelines for the rules of engagement get hazy, and that can seduce a company into taking a more relaxed approach. By relaxed, we mean more risky, leaving you more vulnerable to both malicious attacks and human errors. Policies help to ensure that even when you are distracted or stressed out, you adhere to the plan.

Policies need to apply to education, for example: setting up a policy that all employees must attend a online security awareness training (and of course enforcing it) as well as to software, as in a policy that ensures the network is pen tested and vulnerability scanning is run at regular intervals.


About TBG Security Inc.

TBG Security is a leading provider of information security and risk management solutions for Fortune 100 and Fortune 500 companies. TBG designs and delivers cyber security solutions to work in harmony with existing operations. Companies depend on TBG services in areas including risk management, penetration testingsecurity policy development, security strategies for compliance, business continuitynetwork security, managed servicessoftware and service integration and incident response.

For more information on how TBG Security can help your organization with your information security initiatives please visit https://tbgsecurity.com.


Related Posts

Previous ArticleHow to get stakeholder ‘buy in’ for regular penetration testing Next ArticleAddressing the PEBCAK scenario: protecting systems against rogue employees (PART 2)