From all of the security controls an organization could deploy, which one do you feel adds the most actual value for day-to-day information security and why?
People are not likely on the list of security controls available to IT organizations, but they should be. Let’s consider why. The 2103 Cost of Data Breach Security from Ponemon repeatedly points out that “US and UK companies received the greatest reduction in data breach costs by having a strong security posture.” If we dig into what that means as measured by Ponemon’s security effectiveness score (SES) you’ll see “people” occupy the top four of five drivers that lead to a high SES: the appointment of a CISO, training and awareness of employees, a corporate culture that respects privacy and data security, and executive-level support for security.
All four of these factors rely on people. Culture is derived from people’s attitudes, which is influenced by their training and awareness and lead by a strong, security minded CISO that understands the importance of having people on their side when it comes to security and executives that support the programs necessary to implement and educate.
If we look at recent notable breaches or the proliferation of particularly nasty malware we see a common thread: they all rely on people as the transport into the organization. Whether it’s an infected site and a phishing scam or a watering hole attack, malware delivery increasingly relies on people to get where it wants to be. Like practicing good hygiene habits reduces the incidence of epidemics, practicing good security habits can reduce the incidence of infections and breaches.
But that requires people, and education and repeated reminders that they are an integral part of the organization’s security posture.
We can deploy data center and web application firewalls, and institute a strict “deny all” policy for access at the network layer coupled with strong application access security, but that just means attackers will look for an easier route in. And the easiest route in is through people who aren’t properly trained or educated or aware of how their actions might impact the organization.
Sure, we tell them “don’t click on links in your e-mail that come from people you don’t know.” But we don’t tell them why, or how the bad guys impersonate their friends to coerce them into becoming the next malware carrier that infects the entire corporate network.
We’ve all read the reports that cite “insiders” as a significant source of breaches and note that your employees are your biggest threat. But they can also be your biggest ally if you focus on educating and arming them with the knowledge and tools they need.
Lori MacVittie | F5, Sr Product Manager | @lmacvittie
To find out more about our panel members visit the biographies page.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.