Light Dark
December 2, 2014 By Fran Howarth 3 min read
Intelligence & Analytics

Security should be a board-level concern. The volume, complexity and sophistication of attacks is rising rapidly, and massive breaches affecting household names are everyday news. Elevating security to a board-level concern is vital for business survivability.

IBM has recently released a report that provides chief executive officers (CEOs) and their C-level counterparts with five security principles that should be given the highest priority. These principles can be boiled down into the following three key areas:

  • Focusing on employees;
  • Putting controls around critical assets;
  • Having processes and technologies in place for responding better and faster.

This article looks to explore the first area, which is made up of two guiding principles.

Increase the Security IQ of Every Employee

According to the Ponemon Institute’s 2014 Cost of Data Breach Study, 60 percent of security incidents are caused by employee errors and internal system glitches. Internal threats can be particularly pernicious since employees often have access to the most sensitive information produced by an organization. Sending data to an unauthorized person — even mistakenly — or introducing errors that can lead to diminished data integrity being can have serious consequences. To reduce the risk of employee error, CEOs should ensure they encourage a culture of security throughout the organization.

A top security priority is to train employees right when they join the organization. However, this is not a one-off exercise. Official training should be conducted at least annually, along with constant reminders, preferably done in a way that is fun and engaging for employees. They need to be aware of the threats facing their organizations, including emerging threats, and the sort of behavior that is expected of them to reduce their role in spreading these threats. They should be thoroughly trained on the security policies that have been set and told why they are needed.

To ensure the message is getting through, employees throughout the organization should be tested to make sure the knowledge imparted through training and awareness sessions has sunk in and that they really do understand the messages. Consequences for noncompliance with security policies, including possible sanctions, should be clearly spelled out.

But even that might not be enough. Some people perform well in structured tests, while others do not. As an extra precaution, organizations should look to catch their employees off guard, using phishing exploits to gauge their response to realistic scenarios. This will help the organization ascertain where the gaps in understanding are so it can take steps to remedy them.

Security Principles: Safeguard BYOD

At one time, organizations’ networks had clear boundaries, guarded by technologies such as firewalls. Today, those boundaries have all but disappeared. Mobile devices have become the device of choice for many employees and are constantly punching holes in traditional defenses. With mobile technologies quickly evolving and incorporating the latest and greatest features, many employees feel that their own devices are superior to those offered by their organizations. This has given rise to the bring-your-own-device (BYOD) phenomenon, with employees demanding to use the device of their choice for work purposes, especially since this removes the need to carry multiple devices for work and leisure purposes. Employees are the new perimeter.

Again, employee education is paramount for encouraging the safe use of personally owned devices, as well as security policies that spell out what is and what is not permissible. However, that alone is insufficient. Organizations must safeguard themselves by using technology to manage those devices and protect the data they contain, the transactions that are made with them and the applications that are permitted to contain corporate data.

Containerization is a strategy that has a central place in any enterprise mobility program. It provides a way to isolate corporate data on personal devices by enabling corporate and personal data to be placed in separate containers on the device. This allows different levels of security to be applied to different containers, ensuring the organization can safeguard its critical information while providing employees with the assurance that their personal data is safe from prying eyes. It also lets organizations retain the flexibility associated with the BYOD era, allowing for the safe use of any device rather than blocking network access until a particular device has been examined and certified.

Employees as the Front Line

The Cost of Data Breach Study estimates that the cost of dealing with a data breach increased by 15 percent in 2014 and will continue to rise. Employees and their devices are the front line of any organization, its human face to the world. To safeguard the organization from internal threats and external factors specifically targeting individual employees, it makes great sense to focus on employees themselves to lessen the chance that they inadvertently cause harm.

This is why security awareness and securing BYOD should be two of the main security principles espoused by boards of organizations. The next two articles in this series will focus on the other key security principles, examining how to best protect an organization’s crown jewels — its assets — and how to best prepare for and respond to security incidents.

 |  |  |  | 
Fran Howarth
Senior Analyst, Bloor Research

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature