Transforming People into Security Assets

By Martin Sugden, CEO, Boldon James.

  • 4 years ago Posted in

Artificial Intelligence, User Behaviour Analytics, Zero-Trust… these are the buzzwords currently dominating the security industry. The developments in cyber security technology over the last few years are incredible, developments that are essential in the progression towards a more secure world. A key assumption in much of this development is that humans are simply a risk that needs to be mitigated by technology.

To a certain extent, this is absolutely the right approach. However, despite everything we can do from a technology perspective, malicious actors will always exist, and people will continue making innocent mistakes. Technology cannot solve every problem. So how can we effectively mitigate this risk? This is where I believe companies need to adopt a more positive approach; an approach in which the aim is to transform humans from a security risk into a security asset. In short: user-driven security.

What do we mean by user-driven security?

User-driven security is a methodology which understands how people interact with data, why people make mistakes and ways to identify and prevent innocent mistakes/malicious activity. Using these insights, businesses are able to implement a simple strategy that involves educating users to understand how to operate in a more secure way, incorporating security policy as part of their day-to-day workflow and using the information provided by users to enhance the cyber security technology the business already uses. This process can make businesses more secure and more efficient.

Why are people seen as a risk?

When you investigate the plethora of research available on the reasons behind, and causes of, data loss, it’s clear to see why people are such a risk. For example, The Information Commissioner’s Office (ICO) regularly produces statistics about the main causes of data security incidents and, in cases where they have acted, human error and process failure tend to be the leading cause. More specifically, the reasons tend to be aspects such as: loss/theft of paperwork, data sent to the wrong recipient or loss/theft of an unencrypted device. It’s easy to see how and why these events can occur so easily. Let’s look at three of the key reasons:

  • People are busy and are faced with growing mountains of data created every second
  • Data is becoming the most asset a business has, which incentivises malicious actors to try and steal it
  • Businesses (and therefore, employees) don’t tend to understand the value of the data they create

The effective use of technology does go a long way to overcoming some of these challenges. However, using technology alone still leaves gaps and this is where turning to your people can help. Below are three main steps you can take to turn your people from a risk into your greatest security assets. 

1st Step – Educate your users 

Build a custom training programme for your employees that encompasses all areas of security but places a focus on data. This will teach users the value of the data they are handling to ensure they work with data in a way that complies with your internal security policies and adheres to the relevant regulations.

2nd Step – Classify your data

How can you appropriately protect data if you don’t know its true value? (Answer: YOU CAN’T!). In the same way that, when you move to a new house, if you had a lorry full of brown boxes with no labels, you’d be in a bit of a mess at the other end, exactly the same applies to data. You should be able to quickly identify how sensitive the content is and how it should subsequently be handled, stored and protected. This is where advanced data classification applies both visual labels and metadata to ensure users and downstream technologies handle the data appropriately. Utilising a classification tool prompts users to classify data at the point of creation. To avoid mistakes and further improve user education, the tool scans data to ensure the label selected adheres to your policies and prevents the ‘under-classification’ of data. So essentially working on a ‘Trust but Verify’ basis.

3rd Step – Enhance your existing technologies and enforce your security policies

User training and data classification enables businesses to enforce their security polices in a way that is difficult to achieve by any other means. The metadata applied during the classification process can be read by several complementary technologies and enhances their performance. For example, Data Loss Prevention (DLP) tools can simply scan the metadata and apply relevant handling rules based on this.

The introduction of user-driven security provides benefits to your organisation such as reducing loss of sensitive information, increasing productivity and remediation of processes. If you know where your sensitive data is, you can control how it’s protected, where it’s stored and who can access it. As such, the risk of losing sensitive data is massively reduced. Additionally, if you have a policy of, for example, encrypting ‘top secret’ data, it mitigates the damage that can be caused even if the data did end up in the wrong hands.

In terms of productivity, if users understand the value of the data, they will be able to make quicker and more confident decisions on how to handle it. DLP tools can prevent the loss of sensitive data but, in practice, what tends to happen is one of two things: 1) the rules are too relaxed, which causes problems with security, or 2) the rules are too strict and block activity from happening, which causes problems with productivity. Allowing DLP tools to read the metadata tags helps to overcome both problems.

Lastly, streamlining the processes around detection and remediation is dependent on some great tools available that quickly identify data/cyber-attacks and help to remediate them. These tools tend to be driven by algorithms that read log/network information to identify anomalous behaviour, and one of the most important components of these algorithms is context. The metadata tags added by data classification provide incredibly important context for these tools that impacts the way in which attacks are responded to.

The steps outlined above highlight the need to blend best practices in user-driven and automated classification techniques to meet the unique data security needs of your business both today, and tomorrow.

 

By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.