By Don Smith, Technology Director at Dell SecureWorks
When weighing up the biggest security hazards to an organisation, it may come as a surprise to discover that the end user is often the first to compromise security. Through no fault of their own, and mainly due to a lack of awareness, employees frequently open the virtual gates to attackers. With the rise in cyber crime as well as the increase in the consumerisation of IT and BYOD, it is more important than ever to fully educate employees about security attacks and protection. Although BYOD has given them an increased level of flexibility, it has also given the end user even more potential to cause security breaches.
Threat actors actively target end-users as a primary route to compromise. Some criminals may be targeting the end-user directly, for example to conduct financial fraud, others will be leveraging the user to gain access to the organisations IT infrastructure. It is important to note that threat actors can target end users on their home networks and mobile devices, who will then unwittingly bring the “infection” inside the organisation. Increasingly these days, the criminals use a technique called spear phishing; an attacker sends a highly targeted email, often with personal contextual details that fools the user into clicking a link and, unknown to them, downloading malware. Once this has been downloaded, it provides access to the end users device which is used as a launch point to harvest network information and expand control inside the network.
Due to the detrimental ramifications, it is vital that end users have a full understanding of the most common ways for threat actors to target them. This includes educating employees that they will be targeted, encouraging them to be vigilant at all times, teaching employees what qualifies as sensitive data, how to identify and avoid threats, acceptable use policies and security policies. In short, educating the work force is critical.
The most effective way the CIO can deliver practical and memorable education is to make it real and physically demonstrate what can be achieved as a result of an attack. Taking employees through a real life example of someone clicking an email which looks authentic presents what takes place behind the scenes and makes evident the power the attacker acquires. This illustrates precisely what a threat entails in an easy to understand and influential manner. Additionally, making it personal and teaching employees how to protect their own data adds value by highlighting how a threat could impact their personal life as well as their employer. Implementing best practice will then become second nature as people adopt the same practices in both their personal and professional lives.
Aside from education, the CIO needs to protect end users from their own mistakes. Processes and technology can be put in place to limit and control what information end users can access within a network as well as the actions they can take. In order to take control and minimise risks, end users should only have access to the information necessary for them to perform their roles.
As a final point to consider, the security of an organisation relies on detection. Prevention is important but detection is crucial. The key to tackling threats is determining what normal behaviour is, as an enabler for the identification of anomalous activity. If an organisation understands their baseline then this makes it a lot easier to spot abnormalities, such as excessive access to information or out of the ordinary access requests.