Employees are the greatest asset and one of the biggest threats 

handshake business deal agreement partnership
Thinkstock

Last year we learnt to chop our strawberries. We learnt because we were paranoid that our summer fruit had been tampered with and was indoctrinated with a needle. It was fair logic then, to learn to chop. And the reason, we later learnt, was a disgruntled employee. Someone who had the power to make a nation think twice before they served up their favourite dessert. 

The extent employee privilege is given is wide ranging. It covers everything from the ability to enter your building of work, to requiring passwords and access to the devices and applications needed to do your job.  Different levels of employee privilege are often defined, but not always. A company credit card being passed to an employee for a ‘one-off’ work payment shows trust, but it is probably not the most secure system because when abused, the consequences can be catastrophic 

Because employees may be trusted to do the right thing, employers are aware they are vulnerable to manipulation by increasingly sophisticated hackers. It is impossible to prevent every employee from exposing the business to malware-based phishing attacks, visiting a ransomware-infected website, or failing to follow security procedure best practice in some way.

This was highlighted in the CyberArk Threat Landscape 2019 study, with Australian IT security decision makers stating that the greatest security risks to their business were phishing (62 per cent) and ransom/malware-based attacks (54 per cent). The survey also found a lack of basic security vigilance across organisations, with many storing company passwords in a document on a company device (28 per cent), a physical safe (31 per cent), or in a notebook or filing cabinet (30 per cent).

The actions of all employees, including those of IT and management, can be improved to benefit the security of an organisation.

Prioritising privilege 

Privileged accounts, critical data and credentials are part of every business device, application and operating system. In technical terms, privileged access allows organisations to secure IT infrastructure and applications, run the business efficiently and maintain the confidentiality of sensitive data. A privileged access security policy helps organisations to effectively and securely manage important assets, by limiting access only to those who actually need it.

Limiting employee access has practical implications. While it could be reasonable to expect organisations to put a solution in place that manages privileged access, people need to be able to do their job. It is difficult to identify a malicious or rogue employee, or those that will inadvertently ‘let the hacker in,’ meaning it’s up to business and IT leaders to define the line between where they can offer privilege and where the risk is too high.

In its most fundamental form, a person who is no longer an employee should not have access to the organisation’s network. Yet beyond this, it seems there is more grey than black and white. Nearly half of the Australian respondents (43 per cent) in the CyberArk Threat Landscape 2019 study said one of the company’s greatest security vulnerabilities is privileged insiders.

Overall, leaving the door open to privileged insiders is potentially rendering businesses vulnerable to hackers or malicious insiders stealing funds and sensitive information using legitimate credentials. The OAIC Notifiable Data Breaches 12-month Insight report found that 28 per cent of cyber incidents in Australia from 1 April 2018 to 31 March 2019 used credentials obtained by unknown means and that phishing-based compromises had gone undetected.  

The statistics highlight that, even if employees are good corporate citizens, organisations simply cannot count on traditional perimeter defences to keep data secure in the context of widespread credential theft. 

Be proactive with your people 

For every organisation, employees are the biggest asset, but businesses must adopt proactive access controls. The employee at the strawberry farm, for example, was able to act maliciously and undetected, for some time.

Any organisation that provides employees, partners and contractors with unfettered access to the corporate network, assets and confidential information, significantly increases its risk profile. 

The challenge for businesses is to manage individuals’ credentials effectively, prevent the escalation of privilege and protect employees from both internal and external threats – without holding anyone back from being able to do their jobs. 

Adopting an advanced technology solution which monitors all privileged activity and analyses and detects high-risk behaviours should allow organisations to manage privilege effectively, without disrupting operations. Security should be positioned as an enabler, rather than a potential pitfall. 

Related:

Copyright © 2020 IDG Communications, Inc.

What is security's role in digital transformation?