It’s a well-known fact that hackers are drawn to the stink of bad security hygiene. And yet, according to a recent study from the Ponemon Institute, security hygiene is actually getting worse. A mere 39 percent of surveyed end users “believe they take all appropriate steps to protect company data accessed and used in the course of their jobs.”
This is particularly troubling given the success hackers had in 2016 – the Identify Theft Resource Center tallied just under 1,000 data breaches – and it begs the question: How can businesses improve employees’ security hygiene?
Here are three places to start:
1. Refine User Security Controls
This is a tricky one for small and medium-sized businesses. Ideally, an organization would want to create a clear division of labor for the purposes of limiting the amount of data access afforded to each employee. This helps to ensure that no single worker has too much information at a given time. That said, SMBs tend to have fewer employees wearing more hats, making user access a tough nut to crack.
Nevertheless, there are a few basic ways businesses of any size can improve user security controls (these are especially critical for health care institutions and banks):
- Segregate duties where possible.
- Make IT administrators, senior managers and other staff who handle sensitive data sign non-disclosure agreements.
- Perform ongoing security screening of IT workers/ administrators with the highest level of access.
- Frequently refresh authentication credentials for all employees.
That last bullet point is especially important since so many social engineering schemes are aimed directly at stealing user credentials. It also helps prevent privilege creeping, which happens when certain employees begin to accumulate credentials to systems they might not necessarily need any more. A privilege creep quickly becomes a liability since he or she can freely access potentially sensitive data.
2. Educate Employees
As the late, great Thomas Jefferson once said, “Education is the great equalizer.” In the war against cybercrime, this couldn’t be truer.
Many insider threats are born of negligence or a lack of awareness about what qualifies as sanitary user behavior. In particular, senior-level managers tend to be the biggest culprits. According to the University of Alabama at Birmingham, 58 percent of senior-level managers have sent sensitive information to the wrong email address, compared with 25 percent of other employees.
An argument can easily be made that these high-level managers’ duties require the handling of more sensitive data than other workers. But ultimately, that’s all the more reason they should be educated on information security and data management best practices.
It’s worth noting that training employees on cybersecurity awareness must happen at every level of an organization – or as the Department of Homeland Security put it, from the break room to the boardroom. This means ensuring that all employees:
- Are instructed on smart web behavior (i.e., not clicking on links or downloading documents from unknown email senders).
- Can recognize an intrusion or attempted intrusion, and know who to consult/ what steps to take.
Chances are, your employees aren’t spies hell-bent on destroying your business. At worst, they’re technologically uninformed users who need a refresher in cyber awareness.
3. Monitor Network Activity in Real Time
“Hone in on potentially compromising employee activity – accidental or malicious.”
By keeping an unceasing vigil over network activity, and then analyzing the resultant threat intelligence, businesses can map out a cyberthreat’s lifecycle. This allows them to then hone in on potentially compromising employee activity – accidental or malicious.
Furthermore, real-time threat detection is a critical aspect of incident response. The sooner a threat is spotted, the more quickly it can be thwarted with an incisive set of actions (a.k.a, your incident response plan).
While 24/7/365 threat monitoring may not be feasible for many SMBs to manage in-house, there are cost-efficient alternatives, namely managed detection and response services. A best-of-breed MDR offering supplies the security operation center and a team of dedicated engineers and staff to manage it. Beyond detecting threats and helping businesses respond in real time, MDR identifies the attack vectors and provides recommendations for actions that can be taken to prevent further intrusions. The result is better security hygiene for SMBs now and in the future.