How to deal with your biggest IT security risk - without firing everyone.
According to a survey carried out by the Ponemon Institute, the majority of both German and American IT practitioners agree that employee negligence decreases productivity and causes more security incidents than intentional and malicious acts. While the purpose of the survey was to determine how cultural differences impact IT security, it revealed that the two nations held largely similar views on the matter, giving readers licence to extrapolate globally.
The survey was titled 'The Unintentional Insider Risk in the United States and German Organisations'. It surveyed 1 017 IT professionals to reveal that 73 percent of American and 67 percent of German respondents agree or strongly agree that unintentional employee negligence severely diminishes the productivity of IT.
In addition, the survey compared the costs of IT time wasted as the result of unintentional human error and found that American companies reported losing $1.5 million, while German companies reported losing $1.75 million - again comparable amounts.
What is the situation in South Africa? Do unintentional actions by staff pose the greatest risk to IT security in this country, and what measures can be taken to counter this threat?
Andrew Murray, Blue Label Telecoms' Group CIO, says unintentional actions of staff are 'absolutely' the biggest threat faced by organisations. "We're all living in a world where we experience massive threats in the form of a daily bombardment of this kind of malicious content," he says.
His team recently carried out a training exercise to assess how many staff members would click on a link in a suspicious e-mail. The e-mail had the header, 'E-tolls to be Scrapped', with a link to a spoofed site. More than 50 percent of the organsation's staff clicked on the link. "I only knew that the test had been authorised. I didn't know what the content would be. I almost clicked on the link myself," confesses Murray.
He says there are two things that motivate people to click on malicious links: "We're all greedy and we're all into rumour-mongering. Offer someone a free smoothie and they'll click on anything."
When they presented the findings of this test to the exco, the IT team - one of whom is a 'white hat' hacker - demonstrated how it was possible to gain access to a person's computer simply by getting the e-mail recipient to click on such a link. "We created a spoof site that turns on your computer's camera. We showed them that we were looking at one of their desks right then. They almost fell off their chairs."
In addition to hardware and software security, employees at Blue Label Telecoms are now required to participate in a mandatory awareness programme, and this awareness is maintained via regular e-mails. "We make it personal. We send weekly updates saying this is what happened to one of us this week. We highlight the fact that we are all under attack, all the time."
Layers of defence
The IT team also carries out daily and monthly scans of their environment and their senior executives' homes to make sure nothing malicious has made its way onto any of their systems.
However, what Murray says is very hard to overcome is the digital footprint people leave when they're active on social media, making it easy for hackers or fraudsters to gain an understanding of their movements and matters that are important to them. It's then easy for the hackers to make it personal and gain people's trust.
There are two types of people: business people and IT people, and business people know just enough to be dangerous.Martin Pretorius, Mac Steel Service Centre SA
Herman Botha, the information security manager at PricewaterhouseCoopers, also believes employees pose the biggest risk to IT security. "And you can never fully control that," he adds. "We have lots of training programmes to mitigate the risk, but people will always make mistakes."
These mistakes range from clicking on attachments in e-mails that they shouldn't have, or sending e-mails with private information to the wrong recipients.
He says PwC's IT use policy is very broad, covering all aspects of information security and acceptable use. New recruits are introduced to the policy in the first two or three days in an induction session. Thereafter, they receive further training in their first month of employment. "We then test them to measure how effective the training has been. There's really no point in doing it if it isn't not making any kind of a difference."
Of course, as a professional services company, PwC deals with extremely sensitive information, so it has to be extra vigilant about its security systems. "We have various layers of defence, like an e-mail gateway with normal filtering that kicks out 90 percent of malicious stuff. We also have machines filtering malicious websites and file-sharing sites. So even if a malicious attachment is opened, it has a slim chance of getting through."
Even so, Botha says it's hard to work out whether PwC is being targeted specifically or just generally bombarded as most organisations are. "We've also observed that these kinds of attacks will target our service providers, rather than us directly," he says.
At the MacSteel Service Centre SA, Group CIO Martin Pretorius says the company has numerous IT security packages to mitigate risk. "Through Active Directory and Exchange and through our ERP system, we limit the access of people. We also have access control to our building, as well as firewalls and WiFi limitations."
By limiting access in these ways, Pretorius aims to limit damage should a security breach occur. "There are two types of people," he says. "Business people and IT people, and business people know just enough to be dangerous."
MacSteel has a security department with interconnected areas of responsibility in risk, compliance and sustainability. Pretorius says they run software that tracks activity and mail access, carries out spot checks on employee activity, and runs weekly reports on all of this.
"We can see straight away from the reports if people are accessing websites or systems they're not supposed to. If an employee tries to do anything, and we pick it up with sniffer tools, that's an immediate dismissal. If they're doing something online outside of their normal tasks, there will be a hearing."
He also ensures that the policies are all up to date on the document management system, and that all staff members are aware of them. "They must read and adhere. They know about the policies and their managers are accountable for enforcing them."
It seems that CIOs agree that people are their biggest risk, and that a combination of people, policies, procedures and technology are necessary to mitigate that risk as much as possible.
This article was first published in the [March 2016] edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.