The whole topic of cyber security is growing almost exponentially each year as we commit more and more of our business lives to the interconnected world of cyber space. As a result, the threats and exploits pitched against us have grown to match. Our initial responses were to "lock" the user down by limiting their ability to carry out many very basic operations while they use their computer on the network. We are now beginning to understand that to make our responses effective to the threats posed, we have to deploy systems and approaches that do not force the user to change the way they work.
The Common Denominator
Humans by nature are reluctant to change and they don't necessarily respond well to being asked to perform tasks to aid security, especially if they are seen to impede the speed with which they can complete what they see as a mundane and security irrelevant task. In fact, if confronted by such systems users often rebel against the very systems put in place to protect them and their employers. User non-compliance with security systems already in place are a common denominator in security breaches.
Identifying the Threats
To counter the cyber threats posed, it has become the accepted wisdom that both software engineers and cyber security solutions
need to factor in the human response to the systems deployed. The psychology of the user is as an important a consideration as, for example, which encryption algorithm is to be used. The threats posed to our networks are varied; there are both inbound and outbound threats.
- Inbound threats encompass service disruptions and those that attempt to corrupt or delete data.
- Outbound threats are those which seek to steal information and or interfere with our communications.
Outbound threats are arguably the hardest to defend against, since these are often perpetrated by insiders, people we trust to have access to our systems. Either deliberately or by accident, "PEBKAC" (Problem Exists Between Keyboard and Chair) comes into play. The most secure networks are rendered insecure if the users are writing their passwords on "Post-it Notes" and sticking them on their monitors.
Countering the Threat Only allow access to data and resources that are required by the individual to carryout their daily tasks.Often what it all boils down to is using common sense along with deploying your security products and procedures. Here are a few things to keep in mind:
- Identify if the user is allowed to copy data off the network.
- Should the user have access to plug 'n play devices, such as thumb drives, and if the user does have access, should the flow of files be one way, either in or out?
- Once data is stored on a removable device control, determine where that device can be used within or outside of the network.
- Establish an audit trail for data leaving the network.
We have a duty of care to protect the data we store, in some cases this need to protect that data is prescribed by law. The informed response in 2013 is not to look at cyber security in isolation, but instead with a holistic approach. A good marriage between systems and common sense is essential.
Author Bio: Andy Campbell is a Director at Reflect Digital, a digital marketing agency and has over 20 years experience in the data security industry specialising in Information Security and Email Encryption.
(Image Source: freedigitalphotos.net)