14 Aug

Information Security Overview

Introduction

Why is it important for a company to foster awareness of and mitigate against threats in information security?
Security imperfections can happen at anytime, anyplace, and anywhere. Because of this we at 4leet have established specific stances on security that will be provided in greater detail below.
Proper training, proper procedures and companywide transparency related to all security protocols is essential to establish the best security protocols for any business.
To begin this introduction for security protocols I’d like to establish the three tenets of cyber security. (Paul Edon, 2015)

The Three Tenets of Cyber Security

Confidentiality – The correct levels of access should only ever be given to
associates and processes that require it to complete their duties. If no access
is required, then none should be given.
 
Integrity – Ensure that integrity of information is always upheld and
maintained. All information provided should be an accurate and unchanged representation of the original.
 
Availability – All information should always be accessible to all authorized
users.
 
Confidentiality is the fact that authorized users should be given access on a need-to-know basis. Users who have no place being able to view accounting information, while the information may not appear to be sensitive, should still have no place accessing it. This helps protect security holes, if everyone could access everything, it would be much more difficult to protect every single employee access to all the things. To limit the amount of information available, it’s great to establish boundaries between users at a single workplace.
 
Integrity implies that information should represent an unchanged copy of the original. This protects employees from scams or ethical issues within a company. If someone is “cooking the books”, so to speak, this would be a violation of integrity of information because the wrong person was given access and the ability to change the previous state of the original information.
 
Availability is much more complicated than the name itself implies. Obviously, we don’t want all information available to everyone, however, we do want the information that should always be available to be available. In cases where a business is being attacked by Ransomware, the information could potentially become unavailable however if proper backup is made beforehand, we can always uphold the final tenet of cyber security.
 

Unintentional Human Error

“Correct performance and systematic errors are two sides of the same coin”
(Reason, James 1990)
 
Mental fatigue from large workloads/outside factors can affect your ability to work
 
Leaving your computer unattended and unlocked
 
Accidentally clicking suspicious URL’s while browsing the internet
 
Sharing User Account Credentials
 
Weak Passwords
 

Cognitive Factors

There are many reasons a person can accidentally cause a situation at work. Those reasons could relate to the fact that you’re tired, you’ve become exhausted from illness or fatigue and make careless mistakes at work.
 
Simply leaving your computer unattended is a huge mistake that many people make without realizing it, always remember to lock your account before you step away from your workstation. While it’s not entirely related to human error to simply fall victim to a malicious/sophisticated malware attack, it’s good to be mindful that you can unintentionally cause harm by irresponsibly web browsing or downloading suspicious things from your email.
 
Sharing user account credentials is a mistake that many people make based on convenience. Is it inherently malicious to make this mistake? No, it’s not, but it’s easy to forget why these rules are in place.
 
Weak passwords are also a contributing factor, because it’s something that can be very easily changed and enforced. Often people tend to make their passwords simple, so they can remember them quickly – especially if they need to use them often to gain access. This is a mistake; weak passwords are extremely vulnerable and password requirements to include at least one number or capital letter are very important.
 
 
The most common issues that can arise with security in the workplace are most often related to regular human errors/mistakes. The flash drive is the number one culprit when it comes to compromising security. Training your employees to be more careful about their own behaviors within the workplace is second to none.
 
When an employee checks their email, they could unknowingly become victim to malicious human behaviors, to prevent this all employees could benefit from cyber security briefing to better understand our own habits. If we can identify the mistakes we make ourselves, which allows us to be victimized by outsider threats, we can help prevent security flaws in the future.
 

Psychosocial/Sociocultural Factors

Basically, people can unknowingly cause security risks by doing simple things, holding a secure door open for someone they don’t recognize by just being polite or wanting to avoid an impolite situation. Overly social/extroverted individuals can cause risks by using social media at work, mentioning sensitive information to make conversation. Organizations often suffer harm from individuals who bear them no
malice but whose actions unintentionally expose the organizations to risk in some way.
 
Demographic influences come into play as well, it can be said that factors such as age, gender, and aspects of culture/subculture can cause a higher risk of perceived security flaws.
 
Workers are more likely to fall victim to internal phishing attempts on accident. A phishing attempt is where you are sent an email that has been geared to be appealing towards the user meant to open it. All phishing scams lead to major security flaws.
 

Unintentional Human Error

Training – It’s good for organizations to always adept to new changes/security threats. Being able to adept and deploy effective training and awareness programs. This is so staff members can become aware of social engineering scams and help identify deceptive practices as well as phishing cues. Training methods should include proactive and reactive approaches to security threats. What to do if there is a social engineering attack and what steps to take to prevent it from happening to the same person again.
 
Minimizing Stress – It’s also important to note that employees/humans can
make mistakes when they are simply exhausted and overworked. Because of this, they become more susceptible to social engineering attempts. I know that the more tired I am, the more mistakes I tend to make, the lazier I become about things I would normally never do. Leaders need to examine
whether their work environment is stressful or fosters a natural workflow. A good tool would be to allow time for all employees to examine their security protocols, maybe an activity to help train employees while also giving them a break from their daily work.
 
Always monitor what you post on social media!
 
I want to add like 50 more exclamation points to that statement, but I will refrain. It’s common to see LinkedIn members post information about their career history, a crafty social engineer can take this information and use it. “Why of course I’m Bob from accounting, I used to work for x my birthday is x my favorite color is x and my first school was x I graduated from x my wife is named x.”
 

Malicious Human Behavior

While we can train ourselves to be careful as possible online, to install
firewalls and encryption software, we cannot completely prevent
sophisticated hacker attacks. Ransomware attacks could happen at any time, to any individual or company. While we can train our employees to use better practices, a savant can still slip between the cracks.
 
To prevent vulnerabilities to Ransomware attacks, we can back up all our data on a regular basis. This should become a regular practice, at home and within the office.
 
There have been companies in the past that dealt with Ransomware attacks
by using backups to retrieve their information, and when that wasn’t an
option they would use recovery software to access their old files.
 

Human Cognitive Factors

What to look for when it comes to an outsider or employee with malicious human behaviors:
 
Growing unaddressed discontent with their job title/value within an organization
Recruitment by hostile outside entities or groups
Revenge/Entitlement
Tampering with servers/networks
Challenging authority
Outside factors involving financial issues
Unauthorized access usage
 
Human/Cognitive factors involved with Malicious Human Behavior can sometimes be easily recognized. While when it comes to Unintentional behavior, those individuals might feel similar to the malicious person about their job but what exactly takes it to the next level?
 
A person who doesn’t realize they’re making mistakes vs a person who knowingly and defiantly makes security mistakes due to a growing unhappiness/entitlement when it comes to their job.
 
To put it simply, two employees can go out for frequent cigarette breaks at work/perhaps breaking the rules when it comes to company break-time allowances. One employee can defiantly leave his computer credentials
logged in or their office door unlocked because it’ll “only be 5 minutes”, while another employee can choose to have safe security practices and feel the need to take frequent breaks, by making sure their office is locked up or computer locked out.
 

Psychosocial/Sociocultural

Individuals that tend to lean towards malicious behavior often have a background of similar traits involving unrest. Here are some clear warning signs:
 
Excessive amounts of stress
Feeling alienated from the company
Personal issues outside of work
Negative performance reviews
Seeking new employment
 
Looking past outside threats, sometimes threats can come from within the company itself.
 
There are a few factors that lead individuals to become more inclined to exhibit malicious behaviors. These factors include being stressed out at work. While being overworked/stressed can lead individuals to making simple human errors without malice, the same issue can be seen leading individuals to become spiteful towards their job. When an employee makes a statement about the company and wants to have their concerns addressed this is usually a warning sign that either the company is failing this employee in terms of transparency/organization or that the employee is feeling overwhelmed. When a complaint goes unheard or pushed aside,
the employee could feel somewhat alienated from the company itself, they could be looking elsewhere for work and offering up confidential company information simply out of spite.
 
Negative performance reviews while they can be beneficial to coach an
underperforming employee to work harder – they can also push the employee off the edge so to speak and create an environment where they are left thoroughly disgruntled. I’ve always used the policy of a compliment sandwich, make sure you butter up the person you want to reprimand with what they’re doing right before you criticize what they’re doing wrong or what you’d like to see them change. This offers a balance instead of only negativity.
 

Predisposed and Counterintuitive Behaviors

Not all disgruntled employees are going to attempt to destroy the company out of spite.
 
Here are some prevention tactics to avoid malicious behavior:
 
Accountability and monitoring
Access Controls
Use of Encryption Technologies
 
One of the most challenging aspects of avoiding predisposed/counterintuitive behaviors is establishing what “authorized usage” entails. If there are problems within the system itself that allow inner-company malicious behavior to happen, these need to be nipped in the bud.
 
Establishing identification for employees that can equate to a digital footprint is essential for accountability. Monitoring user behavior is also significant.
 
Access controls are often better suited to an impartial third party which can
regulate power as an outside entity, this lessens the chance of users with the
same amount of control to abuse their power.
 
Encryption technologies do not completely prevent inner and outer attacks
but are an invaluable resource to have.
 
The damage from malicious behavior can be staggering. The same could be said for unintentional human errors. Both have large impacts on the business.
 
The reputation of the business could be affected
Loss of revenue
Possible Lawsuits
 
To name just a few, there could be many more repercussions. To avoid security flaws there are few things we can do to harden our security posture.
 
How can we harden our security posture?
 
Monitor all login activity from hospital staff accounts, all deletions and
modifications.
Monitor where everyone is logging in from, if it’s from a new location this
should cause an alert.
Data loss prevention system
Next generation firewall that monitors applications
HR provide employee assistance programs
 
It’s important to remember that it is impossible to eliminate security threats, however, we can do our best to avoid them.
 
You are never completely safe from a malware/ransomware attack, to avoid this every company should have a data loss prevention system in place. This would involve backing up all information. The prevention tactics for Malicious Human Behaviors are very similar to Unintentional Human Error. Both factors can lead to the same problems, so the security posture should be similar. With open transparency within the company, attention to the employees, we can work together to prevent these kinds of mistakes/attacks.
 

Security Culture

Cyber security involves many different technical and informational solutions that need to be adopted and implemented. With these in place you can position an organization for the greatest chance of resiliency from security threats.
 
Developing a security culture involves these two facets:
 
Combine security practices with business operations
Demonstrating that security is not a function to dump on the IT department
 
In the past many companies all had their own IT departments, leaving them to deal with issues involving security on their own. An associate gets a virus? Call the IT department. An associate’s computer is frozen? Call the IT department. Establishing a healthy security culture within an organization allows all employees to take a stance on their own security and awareness for outside/internal threats.
 

Awareness Training

 
Individuals are the weakest link of the cyber security chain!
Employees must be actively involved in an organization’s cyber security methods.
 
Proactive solutions:
 
Just like many companies offer training exercises in case of a natural
disaster, active shooter, there should be video training exercises for
Ransomware attacks.
 
The IT department should offer faux-phishing scam emails routinely to see if employees fall victim. This is great because it offers training for those who might not have experienced such a thing before
 

Addressing Unintentional Behaviors

Train Employees to recognize phishing and other social media threats
Train continuously to maintain proper levels of skill, knowledge as well as
ability
Improve usability of security tools
Training on awareness for risk perception/cognitive biases
Enhance awareness of insider threats
Discipline/Enforcement on policies and guidelines
Maintain staff values and attitudes that align with organizational
mission/ethics
Open door policy
Productive work setting
 
Keeping these factors in mind will have your organization on its way to keeping up with cyber security standards. If you have any questions regarding this article or how to secure your company please contact 4Leet today.

About the Author

Jenna LaBonte
Bachelor of Science Information Technology Cyber Security

Comments are closed.