New study pinpoints bad staff behaviors, not hackers as primary source of data leakage
October 28, 2008
By Alan Radding
When Benjamin Craig managed networks at a US Air Force base overseas in the late 1990s , he realized he could not assume even military people were computer security aware. "We needed to train people about social engineering," he recalls. Social engineering refers to techniques hackers use to trick people into revealing passwords or allowing access to computer systems.
When Craig started working at River City Bank, Sacramento, CA, as vice president of information systems in 2001, one of the first things he did was bring his social engineering awareness training to the bank. The program got almost immediate results. "Suddenly our people realized that the various service people who wandered through the bank didn't necessarily need to be where they were," he says. The service people weren't necessarily doing bad things, but it was important for the bank's people to be more vigilant of that possibility and to be monitoring them. Furthermore, the service people were on notice as well.
River City Bank may be the exception to the rule, though. After two decades of warning about the vulnerability of electronic data to a wide variety of threats, a new study reveals that little has been done to raise the awareness of most employees who work with data. Company data continues to be put at risk not by ingenious code breaking on the part of hackers but by careless mistakes made by employees. The global study by Insight Express and funded by Cisco, concludes that education of workers to the impact of their behavior should be the first line of defense.
The findings of inadequate training come at a particularly dangerous time. The penalties and marketplace damage from data losses are bigger than ever. In addition, data loss is increasingly occurring not from hackers or deliberate theft but due to mishandling, human error, carelessness, technical failure, or other inadvertent cause.
In addition, the potential for expensive and extremely damaging data loss, also referred to as data leakage, is growing as increasing amounts of data spends its entire lifecycle online. "The network is today's business platform," says Christopher Burgess, Cisco senior security advisor. "We have more data online than ever before, and we'll have even more in the future," he adds. Burgess is the co-author of a new book, Secrets Stolen, Fortunes Lost (Syngress, 2008).
Ironically, the biggest security threats are not exotic software viruses or ingenious new attacks against the organization's servers, storage, and networks. Rather, the biggest threats, result from mundane human behavior, such as voluntarily sharing information with someone outside the organization or using an unsecured personal device, such as a cell phone or PDA, for business information, according to the survey.
"Companies are even concerned with things like corporate blogging, where employees post information that might get the company into trouble," says Phil Hochmuth, senior analyst, Yankee Group, a Boston-based research firm. Some of these threats, he adds, might not even qualify as pre-meditated data leakage, but more as premature or inadvertent data disclosures.
Although security technology certainly plays a part in preventing data leakage, the study clearly shows that changing human behavior is the key to data security success. "Businesses of all sizes and employees in all professions need to understand how behavior affects the risk and reality of data loss-and what that ultimately means for both the individual and enterprise," says John Stewart, chief security officer at Cisco.
The Cisco-Insight Express study's Top Ten List of behavioral problems:
- Changing security settings on computers
- Use of unauthorized applications
- Unauthorized network/facility access
- Sharing sensitive corporate information
- Sharing corporate devices
- Blurring of work and personal devices, communications
- Unprotected devices, computers left logged on and/or unlocked
- Storing logins and passwords on the computer or in obvious places
- Losing portable devices containing data
- Allowing unsupervised roaming around offices by non-employees
The education and training required to address behavior that leads to these kinds of security failings is not complicated. It does not require learning to use advanced technology or asking people to make big changes in normal practices. It really calls for defining and communicating standards for acceptable behavior; sort of personal IT hygiene, the IT equivalent of moms reminding children to brush their teeth after every meal. These behaviors can and should be part of the corporate policy reviewed with each new hire and then reinforced with all employees through periodic refresher training and communication.
"A lot of the problem is that companies assume people already know proper IT behavior," says Hochmuth. Yes, people should know not to share sensitive information or not walk away from their computer while it is logged on or not to tape their password to the side of their monitor. But, as the study shows, people surveyed in the US, South America, Europe, China, Australia, and elsewhere either don't know or, more likely, don't bother to think about these precautions.
Cisco has implemented an internal security education program that emphasizes positive behavior and focuses on informing rather than dictating a long list of thou-shalt-not directives. "We run short videos that show employees encountering some of these threats and making the right decisions in the process," says Burgess. The important thing to get across to employees is that things like this can happen and that each employee is a potential target, he adds.
In addition to training, River City Bank also developed policies about how to deal with security threats and procedures for what to do if someone encounters a potential problem. "We developed a set of policies and procedures that have been reviewed and approved by our risk management people," says Craig.
Security threats will never go away, but they should not prevent the organization from pursuing business success. Notes Burgess: "You can't let fear of a security incident bring the enterprise to a halt. If you keep your people informed about threats, manage your processes, and manage your technology, you can focus on business success."
Alan Radding is a free lance journalist in Newton, MA.