By Jason Hicks, Design & Engineering Manager at NuWave Technology Partners
Please, quickly take a moment and have a look around you, at your employees. See them getting their morning coffee? See them checking their email? See them strolling to their desks, or on their way to the bathroom? The source of your next security incident could be any one of them. How can this be? Has your business been infiltrated by a hacker collective? Are your employees being blackmailed by the Russian mob? No, in truth, they likely have no idea the danger that they present to your business.
Many business owners think of security incidents as something that happens from the outside-in, caused by some faceless hacker exploiting vulnerabilities in servers, or brute-forcing their way into your email, but in reality, the number one cause of data breaches amongst small to medium-sized businesses is the employees themselves. Whether it is due to bad password practices, careless browsing, or lack of overall security awareness, when it comes to cybersecurity, people are the silent accomplices.
What can be done? The problem is complex, and there is no single fix. With security, it is best to approach things with a layered strategy, in what I think of as the Security Onion:
Layer 1: Beyond the Edge
Layer 2: At the Edge
Layer 3: Inside the Network
Layer 4: At the Endpoint
Layer 5: Inside the Mind of the Employee
At each layer we need to consider how the technology and processes can best be applied to save our employees (and thus, our businesses) from being unwitting security threats.
Beyond the Edge
Security needs to exist outside your company’s network. You need to project it out into the world. This is accomplished by identifying and stopping threats that could compromise your employees while they are out in field or working in the cloud, before they even reach your local network, by using technologies such as offsite antispam and antimalware filtering for email and DNS, identity management, and mobile device management.
At the Edge
The Edge of your local network is where one usually thinks of network security taking place—it’s where your firewall generally sits, separating the internet or other wide area networks from your local network. And it is likely where threat actors will concentrate their initial efforts. Its where important technologies like Intrusion Detection/Prevention stop those actors from using vulnerabilities to gain access to your network, but it is also where content filtering can save your users from themselves. Stopping users from going to sites they shouldn’t be visiting at work helps, as these sites can often be compromised by malware, but there are many perfectly normal sites that are compromised as well. A strong content filter that can significantly reduce the chance of malware actually executing on your endpoints by both identifying and preventing users from connecting to sites that are compromised.
Inside the Network
The components of your local network—switches, wireless access points, servers, and the like—are the arteries that carry the lifeblood of your company; your data. It is important that this data is scrutinized, and that those digital arteries are maintained. Implementing regular updates to your servers and your network equipment is critical to stopping exploits from taking hold in your network. Also, watching internal network traffic through the lens of behavioral analytics allows you to see who is in your network and determine whether they should or shouldn’t be there. When one of your desktops starts copying huge amounts of data from the server or suddenly starts heavily communicating to an internet address in China that it has never connected to before, this technology can let you know and allow you to take action.
It’s also important to think about physical security at this layer: Do your employees have access to your server room or network closet? If a threat actor has physical access to a component of your network either directly or through an employee, given enough time they will be able to compromise that component.
At the Endpoint
The endpoints (computers, laptops, mobile devices) are where your employees spend most of their time, and where they have the greatest chance to bring your network to its knees. All the layers of security up to this point reduce the threat, but here is where we need to take a less subtle approach to security. Antivirus and antimalware software can stop the threats that manage to get through from executing. Intelligent decisions about user access rights can stop malware that slips through from doing much damage. Drive encryption can prevent clear-text data from leaking out on a lost or stolen machine.
Inside the Mind of the Employee
The final layer of the security onion is inside the mind of the employee. This is a place where technology alone can’t fix the problem—the prevention here is through thoughtful IT policy deployment and effective awareness training. For example, do your employees know how to read a URL and see that it is valid for the site they think they are visiting. Can they spot a phishing attempt? Do they know how to report a situation when information may have been compromised? Does your employee have a secure place to store their laptop when it isn’t at the office, and do they know to use it? Do they know what a secure password is, and how to store it? Hint: not on a post-it note under their keyboard. Training on these and other topics is important, but so is making sure the information is communicated clearly and is available and easily accessible. And then finally, once all the policies are written and training completed, it’s important to determine that they are actually working. One way to gauge their effectiveness is by running an internal security campaign with near-real phishing emails and other tests of employees’ security prowess.
While all of these layers are important, none are effective by themselves. Each layer builds on the ones before and after it, strengthening the whole. Thus, through a thorough, multi-layered, multi-faceted approach to security, it is possible to create defense-in-depth and to diffuse or at least mitigate the threat that your employees present to your organization and prevent them from being the unwitting and silent accomplices.