“In this world nothing can be said to be certain, except death and taxes,” Benjamin Franklin once famously quipped. Now, according to Adam Levin of Credit.com, we can include a third certainty – data breaches.
In the article linked above, the writer details some sound password security tactics to defend against data breaches. He then summarizes with a clarion call to ramp up IT security training for employees:
“Most hacking episodes occur when employees click on malicious links or websites. Security experts agree that education is the best defense. Train employees in security principles, password etiquette, Internet guidelines, and spotting suspicious emails – and specify violation penalties.”
It’s good advice. At IdentityWeek we’ve long written about the security threats enterprises face from inside the firewall. The problem is that many companies’ efforts have the appearance of ineffective security theater.
Some CISOs seem to think that by educating employees about the dangers of clicking risky links or downloading unvetted applications onto their machines, these users will stop their dangerous behavior.
The truth is that while employee training can prevent some IT security incidents, it’s hardly a cure-all.
Insider Threats Are Usually Not Malicious
Malicious hackers prey upon your enterprise users. They know that no matter how many times your employee may hear about IT security policies and risks, eventually that user will click a questionable link on Facebook or tricked by a targeted spear phishing attack.
It’s inevitable that mistakes will happen. After all, there is a human working at each keyboard attached to those networked PCs. Humans are fallible. They have bad days. And sometimes they don’t stop to think whether they’re putting their employer’s assets at risk.
In the case of an employee who has elevated access, an attacker who entices the worker into infecting one computer also gains privileged access into the network. The worker’s account becomes the proxy for the hacker. And the hacker knows how to leverage this access for further attacks deeper into the network.
Regardless of how much time and money your organization spends on IT security training, if any of the following examples apply to your situation, you could be vulnerable to cyber attacks made possible by the insider threat:
- Administrative credentials that are not frequently changed. This leads to privileged passwords that become known to too many current and former employees.
- Computers and network appliances that share common username and password logins. This exposes large portions of the IT infrastructure if a single account is compromised.
- The storing of administrative passwords on spreadsheets placed in well-known or unmonitored locations.
- Failure to adopt a ”continuous compliance” approach to cyber security, searching out new vulnerabilities and mitigating them before they provide the opening for an attack.
All About Reducing Security Risks
Today, if your organization runs a network, you’re a target for cyber attack. We’ll likely never eliminate all threats, but with a sound, layered IT security approach we can reduce their impact. And when it comes to mitigating the risks of negligent insiders, organizations need to move beyond basic IT security training and look for ways to limit the damage with a sound insider threat solution.
Here are your your first steps – ensure that you’re tracking and changing administrative credentials; that multiple computers, network appliances, or applications don’t share identical credentials; and that there are no passwords stored on spreadsheets or other locations with unmonitored access. Then, enact processes to continuously scan the IT infrastructure for new vulnerabilities and take preemptive action.