This shouldn’t be a problem that we have to discuss but unfortunately the state of modern-day cyber-security prevents us from staying quiet on the topic.
Studies show us that although mass attacks have slowed, smaller, more targeted attacks have been increasing dramatically over the last few years, with targeted phishing even becoming a paid-service. The volume of spam you probably get into your inbox has doubled in the last six months and social engineering redirects are now far more likely than exploit kit redirects.
We are still seeing a large focus on building up firewalls and protecting endpoints when it comes to IT security spending. Security and monitoring software, regular patching and technology updates are becoming more common but aren’t being as widely adopted as we would like. So, why aren’t the cybersecurity measures the majority of us are taking having an effect on, well, our cybersecurity?
People Really Are the Worst
Unfortunately, it is still true to say that the biggest cause of data breaches worldwide is down to human error (a whopping 90% at least – according to a recent Verizon study). In fact, most studies over the last decade will show that human error is consistently the biggest reason why so many companies suffer massive data breaches.
Essentially, it comes down to people simply doing the one thing you (as an IT professional) told them not to do in the first place. They might not be doing it intentionally (falling victim to a phishing email, for example) but the effect is nonetheless the same. It could even be a third party that falls for a scam or doesn’t follow a password policy being the cause of such a breach.
Why Are People Bad at Security?
Put simply, people just don’t know how to act in a secure way online or just don’t consider cyber-security at all when they are dealing with your data. If you were to ask someone in your sales team, for example, why GDPR is important, what do you think they would say? I’m willing to bet the majority of people don’t understand the value of data privacy and the importance of acting responsibly when storing, handling and processing sensitive data.
It is worrying that so many people don’t care about cyber-security best practices and don’t understand the potential consequences of mishandling data. But that is the world we live in so, instead of moaning about it, what can we do to rectify it?
What Can the IT Department Do?
Unfortunately, there is little we can do in IT departments to reduce human error besides educate users about the importance of security and best practices. Even though many organizations do hold regular cyber-security awareness training sessions with their users, you can’t ever guarantee that it’s sinking in.
IT teams could certainly benefit from increasing communication with other departments and, in particular, voicing their cyber-security concerns to leadership. The board of directors would certainly be interested to know what the potential costs are of an imminent data breach due to poor cyber-security practices.
A really good way to help ensure that users are being safe with your data is to deploy a data-centric audit and protection solution. This will help you determine where your sensitive data is, who has access to it, what users are doing with it and whether your environment presents a risk to its security. But even with this level of security, lack of inter-departmental communication will render it useless.
Take, for example, a scenario in which a privileged user in the sales team is fired. This disgruntled user presents a significant threat to data security and now has a motive to act maliciously. HR have probably been informed that he is leaving, but quite often both the sales department and HR will forget to tell the IT team. This means his Active Directory login still provides him with access to the organization’s most sensitive files and folders that he can copy, delete or modify at his leisure.
If the IT team were informed, these permissions could have been revoked, and the behavior of this user monitored to ensure that nothing potentially damaging would take place.
This is just one example of how a DCAP solution combined with inter-departmental communication could help to improve data security. If you want to see how a DCAP solution can help you, contact Lepide for further information.