Security Threats: The Human Factor

August 3, 2016

Study after study has found that human behavior is one of the worst threats – if not the top threat – to enterprise security. Company leaders are certainly aware of the risk to the network and sensitive data caused by their employees and other insiders, yet they remain slow to mitigate those risks. It all comes down to understanding the value, says Jérôme Desbonnet: understanding the value of the data, the value of a security incident, and the value a threat brings to the person posing it.

Q: What is your best example of the human factor in a security incident?

JD: After a customer was hacked, a forensic investigation was needed to find out how and when everything began. However, they couldn’t find anything. It was a highly sensitive system that needed to be replaced. A few hours after the new system went online, it was hacked again; by the same team, by the same guy. Another round of forensics swiftly followed. Basically they found one thing: one of the network and system administrators was on site with them. An investigation was conducted on this administrator. It was found that he was paid by the hackers to give them full access to the system. Everything has a price. Everyone has a price.  Working with an insider was much faster than anything the hackers could do on their own to infiltrate the network.

Q: Why are employees a security risk for most companies?

JD: Employees are one of the weakest links in cybersecurity. People in general are still not fully aware of security, and they don’t really believe they could do something that is breaching security. It’s like physical security. We know that to stay safe we are supposed to close the windows. But in the virtual world, people don’t want to hear that they need to do things to be secure and don’t want to change their habits.

You also need to provide online access to employees, but too many make poor decisions when they gain that access or use it to purposely cause harm, like the administrator who was paid for inside access. If security hinders the user experience in their day-to-day tasks, employees start circumventing the rules and generate risks in doing so.

Q:  Why do companies seem to downplay or even ignore the security risk caused by their employees?

JD:  It’s not always easy to measure cybersecurity’s value. Customers only care about cybersecurity when a breach occurs and their personal information is lost. There is also no direct value for the employees because they don’t see the actual costs when they create a security incident. Of course, companies see value in cybersecurity, but that hasn’t trickled down to the employee base.  If you want your employees to focus more on cybersecurity, they have to see a direct value in it. That’s just human nature.

Instead, employees see cybersecurity as a constraint, just another thing to add to their list of things to do, so they try to find ways to bypass the security procedures. Companies don’t always look deep enough into their employees’ behavior to make sure they are following the security rules.

Q: Could you discuss the difference between a negligent employee and a malicious employee?

JD: When you have a negligent employee, the security threat is an accident. Usually all you have to do is explain what they have done wrong and it shouldn’t happen again. A malicious employee sees value in creating a security threat.

Q: How do you react to the different types of insider threat and what is the impact each has?

JD: The negligent employee doesn’t do anything wrong on purpose. It’s a matter of finding who made the mistake and educating them so they won’t repeat it. When it is malicious, the first thing to do is understand what the value of pulling off a security incident is to them. It is also important to know why they have malicious intent. It could be money or it could be a vendetta against someone in the company. The malicious employee will try to hide their actions, and maybe even deny they’ve done anything wrong, until their scheme achieves the intended value. Usually the malicious employee will have the greater impact on security.

Q: Many security experts lament that there isn’t enough security training for employees. Do you agree with this?

JD: Yes, I agree. I don’t think there is enough training. As cybersecurity experts, we need to provide training that makes sense to the end users. One approach is to use gamification and gaming platforms. Gamification uses the aspects found in any game or role-playing scenario, such as one-on-one or team competition, taking score, and using a reward system. Using a gaming platform turns security awareness training into something fun for employees, something that engages them. The security games could be based on current events, holidays, or major sporting events. Why? Because that’s often when cybercriminals seize the opportunity to spread malware.

Whichever way you approach it, training should include real-life examples of security incidents. The training process needs to provide interesting content. But it should also be short, with simple sessions held more often; we need to find the right balance to make it effective. We need to learn to think about cybersecurity in a different way and employees need to find the value in practicing good, transparent security.

Q: Employees come to mind first when talking about insider threats, but there are a lot of others who have legitimate access to the network, such as consultants, third-party vendors, boards of directors, etc. As outsiders with insider access, are they also a risk? What steps should be taken to address the security best practices of these third-party insiders?

JD: Any person who has access to your company’s network is a risk. Before allowing them access to your network, ask them about their security training and what background they have. If that security background doesn’t fit your needs, talk to their managers to request company-specific training. Also use technical answers to the IT systems, such as Identity and Access Management with proper workflow (to create and revoke access), bastions, network access control, etc.

Q: What is your best advice to companies when it comes to addressing the potential threats caused by employees and other insiders?

JD: You aren’t going to be able to mitigate every insider threat or recognize every guy who wants to gain financially from insider access. To lower the threat level, you should try to give as little access as possible, and that includes limiting how much access is given to suppliers. Then make sure you have the security tools in place to address the threats.

Unfortunately, the insider who wants to make some money or disrupt and sees helping malicious outsiders as a way to do so won’t be very easy to detect. But if the cybersecurity team monitors security events, works closely with employees, develops open communications, and with good awareness training, there is hope that all can work together to find and stop bad insiders before they do damage. 

Jérôme Desbonnet is Global Cybersecurity Chief Technology Officer (CTO) at Capgemini. With more than 15 years of experience in Cybersecurity, Jérôme plans and executes major security programs to help clients keeping their brand, enterprise and customers secure.

By Sue Poremba 

Sue Poremba is a freelance writer based in State College, Pennsylvania. She primarily covers cybersecurity and emerging technology issues (big data, cloud computing, BYOD), with a particular emphasis on how emerging technology and cybersecurity overlap. Publishing credits include Forbes, TechNewsDaily, MSNBC.com, Security Magazine, MSDynamics World, any many more. Sue currently writes a regular column for IT Business Edge.

Promoted view from a Capgemini Expert

«If you want your employees to focus more on cybersecurity, they have to see a direct value in it. That’s just human nature.»

Jérôme Desbonnet's view on Security

Q: Employees come to mind first when talking about insider threats, but there are a lot of others who have legitimate access to the network, such as consultants, third-party vendors, boards of directors, etc. As outsiders with insider access, are they also a risk? What steps should be taken to address the security best practices of these third-party insiders?

JD: Any person who has access to your company’s network is a risk. Before allowing them access to your network, ask them about their security training and what background they have. If that security background doesn’t fit your needs, talk to their managers to request company-specific training. Also use technical answers to the IT systems, such as Identity and Access Management with proper workflow (to create and revoke access), bastions, network access control, etc.

Q: What is your best advice to companies when it comes to addressing the potential threats caused by employees and other insiders?

JD: You aren’t going to be able to mitigate every insider threat or recognize every guy who wants to gain financially from insider access. To lower the threat level, you should try to give as little access as possible, and that includes limiting how much access is given to suppliers. Then make sure you have the security tools in place to address the threats.

Unfortunately, the insider who wants to make some money or disrupt and sees helping malicious outsiders as a way to do so won’t be very easy to detect. But if the cybersecurity team monitors security events, works closely with employees, develops open communications, and with good awareness training, there is hope that all can work together to find and stop bad insiders before they do damage. 

Jérôme Desbonnet is Global Cybersecurity Chief Technology Officer (CTO) at Capgemini. With more than 15 years of experience in Cybersecurity, Jérôme plans and executes major security programs to help clients keeping their brand, enterprise and customers secure.

By Sue Poremba 

Sue Poremba is a freelance writer based in State College, Pennsylvania. She primarily covers cybersecurity and emerging technology issues (big data, cloud computing, BYOD), with a particular emphasis on how emerging technology and cybersecurity overlap. Publishing credits include Forbes, TechNewsDaily, MSNBC.com, Security Magazine, MSDynamics World, any many more. Sue currently writes a regular column for IT Business Edge.

Comment this article

Great ! Thanks for your subscription !

You will soon receive the first Content Loop Newsletter