Sun, Aug 5, 2018

When It Comes to Information Security, Employees Can Be Your Most Important Asset and Your Greatest Threat

The script for a large-scale information security failure has become predictable. Employee/trusted vendor makes an error in configuration or design, or fails to follow good security practices.

Hacker/thief takes advantage of error. Media/regulator/litigant causes company and CEO to publicly pay for the failure.

In response to this repeating corporate nightmare, companies have stepped up their ability to try and police preventable errors. 73% of companies surveyed by Kroll have cyber security policies and procedures, and 74% (76% last year) have already implemented employee training and whistleblower programs. A mentality of user distrust is becoming the norm in IT Security departments. We’ve heard more than one IT manager refer to employees as “the enemy,” noting that “computers don’t commit crimes, people do!”

Yet, the number of data breaches has not slowed down.


Make security part of the work process to promote sustainability

Does the continued occurrence of data breaches mean that security-related training, policies, and protocols do not work? No – it means that these elements are not enough when implemented in a standalone way. The key to leveraging their benefits more fully is to make information security part of employee workflows.

An approach that Kroll has found to be effective is to determine an overall risk rating (ORR) for processes that touch key data. Start with a security review that focuses on how employees work and think. This is not an audit. Indeed, 80% of all respondents to Kroll’s survey are already engaging in security audits. An audit reviews existing controls at one point in time.

This approach begins by understanding what must be secured: What do you have worth protecting? Who needs to access it and from where? Why does the current process pose a risk? What is the probability of the risk, and what is the impact to the business if the risk is realized? What is the cost of mitigating the risk?

Consider this scenario: ABC Company relies on an outside sales team for revenue. Salespeople need access to customer data. Each salesperson uses a company-provided laptop daily for email, calendar, document drafting, and social media. Over time, that laptop is full of old data, poorly updated, rarely backed up, and often used for personal as well as work activity. When it gets lost, stolen, or hacked, a breach occurs.

New scenario: Each salesperson has a tablet with paid cellular access. The customer data and forms are stored in a document management system in the cloud, and never on the tablet. The tablet has mobile device management software that blocks all browsing. If lost, the device is encrypted and can be remotely wiped. No local storage, no vampire data or data hoarding. No “drive-by” infection. Security improves because it is now part of the workflow.


Make clear security rules, train on them, and enforce the rules consistently, with real consequences for noncompliance.

Workflow-integrated security risk management is a great start. The security rules must be clear. They must be followed by all staff. Everyone is trained and tested on these rules. There must be consequences for noncompliance.

Organizations must also look at information risks within the context of a total security posture. Having a physical control policy is critical. After all, data can be just as easily stolen from a desktop as from a cloud storage device.

Criminals know it’s far easier to trick an employee into making a mistake by using social engineering. Criminals take advantage of goodwill in human nature. Consider the lost key drop. An employee finds a ring of keys on company property with no nametag, but it does have a USB memory device. The employee plugs the USB flash drive into his or her computer, hoping to find information that will help reunite the keys with their owner. The employee unwittingly has installed malware that could devastate the company. 

The protection against this is simple – train people, then test their training. A good security training plan is more than just a lecture – it is a running test. Spoof emails and see who responds. Have an outsider try to walk in carrying a pizza.

Management must follow the same rules. Nothing undermines a security protocol more than senior managers who fail to wear a badge, or who use their own equipment and/or have special access rights.

Management also needs to support people when they follow the protocols. Let’s say a CFO really does call an accountant and order an immediate funds transfer, but the accountant refuses to violate the protocol. If the employee is punished, people will be afraid to follow the rules in the future.


Give people the tools to follow the rules.

Some simple tools can have a big impact. A locked drawer in which to place sensitive information at lunchtime or at the end of the day. A privacy shield to prevent unauthorized viewing of a laptop screen used on an airplane. A dedicated number to call when a question arises. Support security!

By assessing how your employees really work and then using that knowledge to put in place the right rules, tools, and compliance mechanisms, you can make your people a part of your security solutions – both cyber and physical – and by doing so, they can become your greatest security asset.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Forensic Investigations and Intelligence

The Kroll Investigations, Diligence and Compliance team are experts in forensic investigations and intelligence, delivering actionable data and insights that help clients worldwide make critical decisions and mitigate risk.