How Employee Behavior Impacts Cyber Security

How Employee Behavior Impacts Cyber Security

Many IT organizations focus on security solutions without making a corresponding investment in the human side of cyber breaches and vulnerabilities. Employees can inadvertently bring malware and other nefarious software into the IT environment through their laptops, mobile devices, social network activity, public WiFi networks and removable media.

CompTIA’s Eleventh Annual Information Security Trends survey found that companies are not fully addressing this critical component of IT security. The survey found that more than 55% of the companies queried cited human error as the primary cause of security incidents. In other instances, some security problems were the result of malicious employee intent.

Users Resistance

Security is an ongoing battle for every organization. There will always be hackers who are able to find human lapses in which to exploit an organization’s vulnerabilities. Security is more than applied technology; it’s also how an organization envisions risk and threat management among its business processes.

Companies require well-designed and consistently enforced security policies and procedures to avoid cyber breaches. 

Employees should receive annual security training and when completed, a “security terms and conditions” user notification should be issued. A series of questions should be required rather than just an “I agree” check box. The statements and questions should be changed each time the agreement is issued (some suggest quarterly) to reflect changing business requirements and threats. 

Here are 5 steps IT departments should implement to mitigate employee-based security problems:

  • Know what is connected to your network and how it is being used
  • Implement key security settings that protect your systems
  • Manage and limit the organizational staff and contractors’ administrative privileges to modify, bypass, or override your security settings
  • Ensure that you regularly update all software, applications, and operating systems
  • Prioritize your security objectives and projects according to the resources available

Users need to be monitored with software tools that can help ensure that security policies and procedures are being followed. Monitoring technology will continually look for inappropriate actions and rogue devices. This in turn will allow you to capture information about improper behavior and stolen credentials.

Responding to Employee Mischief

The most critical piece of any security plan is validation. The security plan should be the result of a group effort, technical IT and security staff and non-technical marketing, sales, financial, HR and production staffs. The non-technical staff can have insights that the technical staff does not see. By including the non-technical staff members, you can acquire their buy-in more readily than if the solutions are just dictated to the users by the technical staff.

  • Look for high-value assets, the ones in most need of protection, that the business determines are most important from a legal, compliance, and business perspective.
  • There are business requirements that have to be satisfied if the business is to be successful. Security cannot limit them.
  • Design a security strategy that meets the business goals while implementing a reasonable level of security.
  • Have the users help validate the solutions then fine tune the resulting design.

The cost of cyber crime according to the 2015 Cost of Cyber Crime study from the Ponemon Institute has increased 19% to $15 million per organization. This is a finding from surveying 58 U.S. companies responding to the 2015 survey. In 2014, the loss was $12.7 million.

When it comes to security, your work is never done. New security problems will surface while old ones, especially with new users, may re-emerge. Even the best security behavior design should be periodically revisited.

Learn about Masergy’s Managed Security.

About Craig D' Abreo

VP, Security Operations, Masergy
Craig oversees the Managed Security, Threat Intelligence and Security Professional Services departments at Masergy. He is responsible for Masergy’s proactive enterprise cybersecurity threat management and operations program. Craig holds a bachelor’s degree in Computer Science and an MBA in Information Security. He is a Certified Information Security Systems Professional (CISSP) with over a decade of experience in the security industry and holds various network security certifications. He has written on various security blogs, spoken on a range of industry panels and is a recognized thought leader in the cybersecurity space.