Safeguarding users with a Human Point System in security policy
FYI, this story is more than a year old
Three years ago, the Global Leadership Summit in London held a survey that found 34% of business leaders believed more than half of their company’s full-time workforce would be working remotely by 2020, a prediction that is still on track to becoming a reality.
The continual advancement of technology has unquestionably transformed the way we live and work. Cloud adoption and mobile devices have allowed for a more accessible workplace. Employees can now engage with office tools and data wherever they are, a change which has led to unprecedented improvements in productivity, collaboration and employee engagement.
The new workplace setting, such as remote working, bring your own device (BYOD), and widespread cloud app usage, have each contributed to a change in workplace expectations.
Many employers now carry new standards for employee availability and expect more connectivity out of office. Similarly, employees expect more flexibility in their workplace, demanding adaptable IT infrastructure capable of supporting their lifestyle choices – with flexible and remote working becoming an important feature of this trend.
Recently, a forecast of employment trends by the World Economic Forum called flexible work, including virtual teams, “one of the biggest drivers of transformation” in the workplace.
The evolving workplace will create new challenges for organisations - what are the impacts of these changes on security? How do we control our critical business data and IP in a cloud and mobile era? And what systems are needed to better protect organisations from data breaches?
Outdated protection models
According to Gartner estimates, worldwide spending on information security is expected to reach $90 billion this year, an increase of 7.6% over 2016, and is expected to top $113 billion by 2020.
While increased spending should theoretically result in fewer incidents, that hasn’t happened in reality, suggesting many organisations are still investing in the traditional security systems.
In the U.S. alone, companies and government agencies suffered a record 1,093 data breaches in 2016, an increase of 40% from the year before. Clearly, organisations require a new approach to security. It’s time for the industry to move away from the traditional approach of protecting a network.
With mobile, cloud and IoT, users and critical data are everywhere. These technologies have eliminated the traditional perimeter. We’re now living in a zero-perimeter world where the perimeter is no longer defined by the boundaries around the data centre. Organisations need to focus on the only constant in the face of technological changes – the people.
People-centric approach: recognising the new perimeter
While cyber security strategies in the past centred on building walls around the network perimeter. Today, people are the new perimeter.
Unsanctioned apps, private devices and remote connections make security a constant challenge, so security strategies need to have a people-centric approach – something that can be achieved through a combination of technology, policies, cultural changes and intelligent systems.
Observing human behaviour and understanding user-intent is the key to better security and to protect against critical business data and IP loss. By focusing on how, when, where and why people interact with critical data and IP, organizations can more effectively identify and address risk.
Shaping the technology-policy framework
User education and enablement should be the first step in any security policy.
To deliver this, organisations need to better understand modern user practices, to create a policy of dos and don’ts built around the users and a focus on both enablement and security in equal measure.
Modern security tools are able to align with data-use policies, allowing organisations to better enforce proper handling of critical data, and prevent its unauthorised use– be that through malicious, unintentional or socially engineered threats.
For establishing truly effective policies, organisations need to have a good degree of visibility over users’ behaviour and intent. Being across people’s movements in data centres, offices and cloud environments is pivotal to identifying anomaly in normal user behaviour and to help quickly identify potential breaches and stop them before they happen.
Human Point system
One of the biggest mistakes an organisation can make is in believing that a breach will never happen to them as they have everything under control. User complacency can lead to behaviours inducing serious threat risks – increasing an organisation’s chance of experiencing a breach incident, whether that’s accidental or compromised.
With the headline grabbing security beaches this month – Deloitte, The Securities & Exchange Commission (SEC) and Equifax, organisations must quickly focus on the human point at the intersection of people with systems and critical data. It’s at this point where information is most useful in creating value, but also most vulnerable to a single malicious or unintentional act.
The Human Point system will allow organisations to understand the normal rhythm of users’ behaviour and the flow of data in and out of the organisation to identify and respond to risks in real-time.
For effective security and risk management – people, process and technology are all important elements that must combine to form a human-centric security. It enables enterprises to better understand human behaviours and the intent that drives them in order to protect critical data and IP everywhere.
Article by Guy Eilon, A/NZ country manager of Forcepoint.