Subscribe

Want good security? Follow the user

It's time to stop keeping the workforce at arm's length and instead treat them as critical parts of the system, says Christo van Staden, regional manager for sub-Saharan Africa at Forcepoint.


Johannesburg, 21 Jun 2018
Christo van Staden, Regional Manager for sub-Saharan Africa, Forcepoint.
Christo van Staden, Regional Manager for sub-Saharan Africa, Forcepoint.

Ask any security expert what the weakest point in protecting data is and they will invariably cite people as the problem. Some are even tempted to sideline users completely, but this is impractical and actually self-defeating, says Christo van Staden, Forcepoint's Regional Manager for sub-Saharan Africa.

Security awareness programmes raise user understanding and can make them a vigilant part of security practices. Still, this doesn't go far enough to solve the problem of trying to fit humans into a security or IT system designed around threats.

"If you look at where data breaches happen, it's across a continuum of behaviours. Some are accidents, some come from a compromised (hacked) identity and some are deliberate malicious insiders. So, while security training will raise awareness to be on the lookout and to collaborate with ICT custodians, its impact is limited."

This problem is growing, because workforces are becoming more mobile. According to a Forcepoint study, 76% of employees need to access documents away from the office. But, even employees who stay at the office expect company data to be more versatile and accessible, since 61% access data on their own devices.

So, if they want all of this access, why aren't they more proactive at galvanising the lessons from security education? Digital behaviour simply doesn't sit well with these ideals, because we live in a world where digital identities are a type of currency: "Users are sharing their credentials on every second online app in exchange for free mail or access to an app or something else. Historically, where you had quite a handle on privacy and user profile, now it lives anywhere. Even responsible behaviour, such as using online shopping platforms, involves some level of user credentials. It can be hard for security professionals to draw that line, so how much can we expect from the average person?"

Yet the issue may not be people. Instead, it's security that has failed to evolve. The challenge with security training is it's rarely matched by other tools in the security stable. Specifically, the reliance on event-centric protection and static policies need to shift to a behaviour-centric approach. What a person can distribute and access should be tied to their role and even their individual digital DNA.

Follow the intent

Why don't mere roles work? Because these exacerbate the thousands of policies that already dictate security at a company. Van Staden explains it in terms of different secretaries: "A CEO's secretary might regularly have to copy sensitive data into a presentation. That's a legitimate action. You should be able to allow that. But if it's a different secretary, maybe to the HR director, that person should not be able to copy that data into a presentation. The action should be allowed or disallowed based on the DNA signature of that user. It won't work if you have general policies covering secretaries and it would be impractical to set up a policy for every individual."

This ties to what Forcepoint calls the Continuum of Intent. There are three scenarios where data is compromised: by a threat actor, a disgruntled employee or an employee duped into the action. For example, just because an executive's credentials are used, it doesn't mean it's actually the executive logging on. In a static policy environment, though, that account would have considerable free rein. But when focused on intent, unusual behaviour can be spotted quickly, using technology that has already shown its worth in other applications.

"The key is in behaviour and behaviour analytics. If you look at every worker out there, we are creatures of habit. We engage with systems in a fairly predictable way. Behaviour analytics is already embedded in all our smartphones. That's how Samsung and Apple determine exactly what are the weaknesses of the services on our phones. Our shopping profiles are often linked to a certain level of behaviour. Behaviour technologies have been around for several years. It's a matter of taking that analytical intuition and applying it to security."

Many security breaches don't happen overnight, but come into being through the concerted and patient actions of an attacker. Many of these could have been stopped if they were spotted early enough. Then there are the quick attacks, such as ransomware, which often can be traced back to poor employee habits. If behavioural analytics are in place, forensic trails and employee interventions can be established.

Limiting the workforce's access to data and services is not constructive, but our growing comfort with digital has made employee identities easy prey for cyber criminals. It's time to stop keeping the workforce at arm's length and instead treat them as critical parts of the system. Yet, setting up rules to follow is not enough. By combining one of the most powerful tools of the modern era, analytics, businesses can overcome this challenge without hampering their staff's productivity.

Share