Creating a culture of security: Part 1

User behavior can sometimes cause CSOs and CISOs to have heart palpitations. In part one of a two-part series, we look at security threats posed by user behavior and the challenge of balancing security with productivity.

Juniper Networks

Dave Mihelcic is federal chief technology and strategy officer for Juniper Networks, recently joining the company after a long career in government IT, including 12 years as CTO of the Defense Information Systems Agency (DISA).

Countless studies and surveys over the years have concluded that employees pose the biggest security threat to enterprises. Why is this true? 
Most corporate security architectures assume end users are trustworthy, educated on security, and reliable. Unfortunately, this is not always so. When an employee does go rogue or makes a poor security decision, the consequences can be significant. This is particularly the case when the employee has elevated privileges, like a system administrator, or when some latent system vulnerability can be exploited to escalate privileges to a higher level. The net result is the bad guys can “own” the entire network.

Has consumerization made users less patient?
Absolutely it has, although that’s not necessarily a bad thing. User expectations have risen in terms of the functionality and ease of use of their applications and IT. Their expectations are: “This thing should be self-explanatory and I should need no training.” Unfortunately, consumerization and the low levels of patience among today’s users have made it much more difficult for enterprises to provide the security training that is essential for employees to survive in cyber space.

What are the most common ways employees expose enterprises to security risks? 
Perhaps the most common is poor password management. This can be due to choosing poor passwords (like “password!”) or falling victim to a social engineering attack.

Spear phishing has become one of the most serious threats to enterprises because it can trick a user into inadvertently infecting their workstation with malware by simply clicking on an attachment or a link in an email. This malware will then look for other vulnerabilities and move laterally in the network, in many instances compromising the entire corporate network. The malware can become an advanced persistent threat, or APT, that can exfiltrate valuable data assets over extended periods. The adversary may also encrypt critical data and demand ransoms for the decryption keys. In the worst-case scenario, the adversary may wipe all the mission-critical servers, databases, and even backups, leaving the organization devastated.

Why don’t enterprises simply impose rigid security processes for employees to follow? 
Clearly defining policies and best practices for security is critical. But if you ask too much of the workforce, the approach will fail. The architecture must be defensible in the first place. Security policies must be straightforward so employees can repeatedly execute them. And most importantly, employees need to be able to accomplish their day-to-day work. 

How can enterprises strike the right balance between security and productivity? 
This requires collaboration between the CIO and the CISO. The business needs of the organization must be balanced with the acceptance of cybersecurity risks. If those risks are too high, investments must be made to mitigate the risks to an acceptable level.  You can’t just order the workforce to “be more secure.”


Copyright © 2017 IDG Communications, Inc.