The threat of the “malicious insider” seeking to wreck your organization gets a lot of attention. But 99% of all user errors are inadvertent – or the result of the user not knowing what they did was wrong.
Employees can’t be expected to understand all the complex regulations and business needs that drive the organization’s rules around data. They need clear guidelines to help them make good decisions consistently in all the different scenarios that arise.
More than four in 10 organizations participating in the U.S. 2017 State of Cybercrime survey reported that insiders had unintentionally exposed their private or sensitive information. Facing such threats, it’s no surprise employers cited employee awareness and cooperation as the top security-related challenge and obstacle in Network World’s 2017 State of the Network Study.
Needed: Better User Training
In the average company, security rules are “are pretty squishy, and might be situational, like, ‘It’s okay to talk to one partner with information about customers, but with another partner it’s not,’” says Brandon Swafford, chief technology officer of user and data security at Forcepoint. Setting clear rules and training users on them helps distinguish malicious behavior from mistakes, he says, because if a user “knows the rules, if they’re trained and still act inappropriately, that’s moved beyond accidental.”
Making security rules clear enough to be useful requires a detailed understanding of the lifecycle of an organization’s data and how that data is used in common business processes. Swafford recommends evaluating every stage, from the creation of data to its transmission, sharing, storage, deletion, or archiving.
His best practices also include determining who should be allowed to handle each type of data and in what ways at each stage. Companies should also decide how to handle exceptions and questions, such as what steps users should take if they receive an email with confidential information that shouldn’t have come to them. With such a review, he says, “you’ll find the gaps in your rules and policies most quickly.”
Trust But Verify
Another challenge in the creation of security rules is balancing security and employee productivity. If users are working on a project with others around the globe, for example, they might not be able to collaborate using a common email system and might need to use other platforms instead, such as cloud storage. In this case, Swafford recommends the enterprise “trust but verify” how users treat data.
It’s also important to recognize that despite their best efforts, users will continue to make honest mistakes. For that reason, organizations also need to establish response plans that include passing feedback to their training, legal, and HR departments. Those departments can then update policies or develop a more holistic anticipation of future events to calibrate their responses.
Finally, remember that distinguishing honest mistakes from attacks requires ongoing work to reflect new business processes, user behavior, and data-sharing technologies. “If you’re not always questioning whether you’re doing the right thing and thinking of how to handle new scenarios, you’re setting yourself up for trouble,” says Swafford.
Forcepoints’s human-centric cybersecurity systems protect your most valuable assets at the human point: The intersection of users and data over networks of different trust levels. Visit www.forcepoint.com
