Comments on the recent survey from CompTIA showing that human error is responsible for 52 percent of security breaches, and that “human error…is a problem without an obvious solution” Nathan Wenzler, Senior Technology Evangelist at Thycotic, who disagrees with the point made in this CompTIA report that employee training is the only solution to mitigate human-error related breaches.
Nathan Wenzler, Senior Technology Evangelist, Thycotic:
When reading the recent CompTIA IT security report, I was shocked to learn the general sentiment amongst IT teams is that employee training is the only tactic for reducing the chance of human-error related data breaches. There are numerous technologies out there that companies can successfully implement to help prevent their employees from accidentally causing data breaches, and there’s clearly a knowledge gap here that needs to be addressed.
While training and education are certainly important components to any sound defense in depth security strategy, there are a variety of technologies that can limit and control the way that employees access and manipulate data. These technology solutions, when implemented well, help to mitigate and limit the risk for human errors to take place at all. And the reality that the IT teams interviewed are overlooking is that there are options at every level of defense that can improve their overall security posture.
So, how does an organization decide where to invest their limited budgets to try and get their arms around this problem? When it comes to the risk of data breaches, as a November 2014 IANS survey revealed, over 60% of breaches come from abuse of privileged credentials. Employees are often the people who either maliciously or accidentally abuse these credentials, which provide elevated access to the business critical data that organizations are most concerned about protecting. It’s here where actively monitoring and controlling these credentials with a robust enterprise Privileged Account Management (PAM) solution puts a technical control in place that will limit the human error factor for these data breaches.
As an example, most IT professionals will likely admit to using spreadsheets, text files, or even sticky notes to maintain their privileged account usernames and passwords. This practice puts all of their employer’s sensitive data at risk by leaving open far too many possibilities for human-error related breaches. Employees can accidentally duplicate these spreadsheets, store the spreadsheets in unauthorized folders or email the spreadsheets to the wrong person, and no amount of training can guarantee that mistakes like this won’t occur.
Enterprise PAM tools also provide extensive abilities to control which employees can access these credentials, what they can do with those credentials and monitor their activity while they utilize them. Since we know that most data breaches come from abuse of privileged credentials, and that human error is the largest cause of data breaches, these tools will provide strong controls to reduce the potential for employees to make mistakes or inadvertently access important data. Privileged Account Management solutions will even address a large number of technical weaknesses that can exist at many layers of a network (such as implementing automated rotation of privileged account passwords and increasing their complexity).
When companies use more secure technologies such as Privileged Account Management tools for storing and managing privileged accounts and their passwords, IT admins can ensure that the employees in their organization have fewer opportunities to abuse these accounts and thus, reduce the risk of data breaches throughout every level of the organization.
You can view the CompTIA report here, and a recent CSO article summarizing the report’s findings here.
Duo Security RSAC 2015 – Register to win a free Quadcopter
BIO : Nathan has over a decade of experience designing, implementing and managing both technical and non-technical solutions for IT and Information Security organizations. Throughout his career, Nathan has helped government agencies and Fortune 1000 companies build new information security programs from scratch, as well as improve and broaden existing programs with a focus on process, workflow, risk management, and the personnel side of a successful security effort. Currently as the Senior Technology Evangelist for Thycotic, Nathan brings his expertise on security program development and implementation in both the public and private sector to admins, auditors, managers, and security professionals at a variety of conferences, trade shows, and educational events.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.