Information technology security has been a frequent topic in business this year. Not a month goes by without a major security event (BASH, Home Depot, etc.) entering the news cycle. However, the focus on security needs to shift from the technology side of the house to the user, administration and training sides. This is no longer an issue just for big companies. In the legal industry, over the last year, 71 percent of all attacks were on firms with fewer than 100 employees. By deploying best practices, policies and procedures for security measures, your firm can be proactive versus reactive to a security threat.

Earlier this year Cisco conducted its regular survey, in which respondents were asked what they feared from these new security threats. Over 80 percent answered that IT departments actually felt secure with the technology that they had in place, but they feared what end users might do, either intentionally (example: Edward Snowden) or unintentionally (example: CryptoLocker). The response was that, although IT departments are the focus of where to combat the new threats, it’s the actions of end users that are often the root cause of the problem.

Despite the great innovation in newer security products, the industry itself is still in a reactionary mode, responding to modern threats rather than being a step ahead. Therefore, while the technology is important, other areas of the business need to be addressed in order to make a company more secure.

People, Process and Policies

There never will be a silver bullet for security. Organizations of all sizes need to set the tone with their employees regarding what is expected of them when they access and utilize computer technology and data on their networks.

I am not referring to typical acceptable use policies, which are still very much required, but to policies that drive the procedures and protocols for everyday use. Senior management has to be perfectly clear both on what they expect their employees to do and on how to behave when they have access to private data, including what their individual responsibility is for proper handling and reporting of suspicious behavior.

This should not come as a shock to people. If the threat to business was theft via physical means, people would be educated to look for strangers lurking outside the building, and anything that looked suspicious. They would be told who to notify in the event that they see something strange. Yet, when it comes to the company’s electronic data, people stay mute or are often oblivious to what is going on. Employees need to be specifically told what to do and how to do it. Today, you can leave nothing to chance or assume that employees will do the right thing.

Top-Down Education, Enforcement

The only way to get this accomplished is through the communication of policies and procedures that have been adopted and approved by management. This communication needs to originate at the very top and reach every level of the organization. Management has to make it perfectly clear that misbehavior, whether intentional or unintentional, will not be tolerated. The repercussions for failure to help keep the organization safe from harm and threats must be clear, or else training becomes a waste of time and money.

This is not shifting blame to the end user or “passing the buck.” The organization has a responsibility to make sure that it does not put its employees in a position where they could inadvertently cause harm – or be harmed themselves.

For instance, there is absolutely no excuse as to why a user should have more rights to their computer than is absolutely necessary for performance of daily tasks. The simple reduction in rights has been widely known for years for its value in providing a better security posture. Yet, many organizations and/or IT departments are still simply too lazy or hesitant to change to make use of this totally free practice. Even the Australian Department of Defense’s “Strategies to Mitigate Targeted Cyber Intrusions” lists removing elevated privileges as one of its top four methods to prevent malware infestation. Simply using the Australian DOD’s top four methods can reduce a network’s security risk by 85 percent. It’s a simple and effective solution to implement.

Good Employees vs. Manipulators

Call me an optimist, but I believe that most people want to do “good,” or, at a minimum, not screw up. Employees want to do their part to help keep their company safe. No one wants to be the person victimized by a social engineer attack that costs their company money and loss of reputation.

This brings to mind an instance at a small law firm in North Carolina, in which one employee’s mistake caused the firm to lose over $300,000. The money was stolen from a private trust account because he/she clicked on a link in an email, loading a Trojan virus that recorded keystrokes of the bank account. Ultimately, the firm lost $300,000 and now has to deal with bad publicity and reputational fallout, as the bank filed suit against the firm for theft. Nobody wants to be THAT person, who accidentally caused public and private harm to their employer.

>People are not naïve, either. Bash, Heartbleed, JP Morgan, Home Depot, K-Mart, iCloud, Drop Box, Target, Neiman Marcus, Amazon – the list goes on and on when recapping security incidents that have impacted us in our personal daily life. People are truly hungry for information on how to be safer, both at home and in the office. Even well-intentioned people need to understand how to behave and what risks and penalties exist if they don’t comply. It’s no different than speed limits – everyone wants to get to their destination promptly and safely, but they will hit the gas just a little harder if they don’t think that the police are around. Every now and then, a little ink on paper goes a long way. Never underestimate the power of getting signatures on a policy acceptance form.

Getting Started

So, how do you get started? First, your company needs to get its security program up to date by performing risk assessments and then create policies covering how risks will be handled. Some industries will have policies dictated by regulations such as HIPAA and Sarbanes-Oxley.

Once the policies are in place, the procedures and daily tasks should be aligned to support the policies. This may take some time to complete, as many procedures being performed today are probably not documented.

Speaking of HIPAA, starting in 2015, the Office for Civil Rights will begin proactively auditing health care providers and their business associates for compliance. Companies, whether directly or indirectly tied to medical records, can face significant fines for non-compliance. Since 2011, Health and Human Services has collected over $26 million in fines from violators. The lowest fine was $215,000 – more than enough money to fund even the most basic security initiative, had the targeted company chosen to be more proactive in preventing this sort of instance.

Training and Feedback

Once policy and procedures are in place, training and feedback from the users is required. The users will find any holes or gaps that might exist in the process as they try to work under the new policies with old procedures. In the meantime, IT controls should be initiated to help limit the users’ abilities to work beyond their assignments. Proper controls will limit a company’s exposure to risk while employees handle sensitive data.

Intrusion is bad. It’s the extraction of the data that becomes the even bigger problem. In the chain of events that ultimately leads to a data extraction, the end user’s behavior and initial reactions, or lack thereof, are usually one of the first missed opportunities to stop the theft. The end user gets into trouble because the organization did not remove the things in place that could cause harm. Those of us in IT security need to take this weakness and make it a strength by convincing our organizations to adopt a sound security program and begin to enforce strong policies.

Let’s turn our workers into trained overseers and empower them to help stop attacks. The more hands on deck in this never-ending war, the better.

Mark Brophy serves the director of IT Security and Risk Management Services at Keno Kozie Associates. Brophy brings extensive knowledge on information technology networks and security. He specializes in developing and implementing security assessments, business continuity and risk management plans. He was also one of the founding members of ILTA’s new LegalSEC™ program and helped organize a community in which law firms can leverage their collective knowledge and experience in combating today’s IT security threats.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access