Fortifying the Last Line of Defense Against Cybercrime: End Users
While security bugs like Heartbleed make major headline news, there’s a more mundane but widespread vulnerability with the potential to impact every IT system in the world: end users.
An unsuspecting end user, whether a customer or employee, can make a mistake that has far-reaching consequences for a financial institution and its clients, in addition to the damage that can be inflicted by an unscrupulous insider. Anyone who uses a computer or mobile device that’s connected to an organization’s infrastructure can become the weakest link in its security defense.
Educating end users about how their everyday decisions impact security is one of the most cost-effective ways to mitigate risk. The Point talked to Mike Seifert, vice president for Enterprise Risk and Resilience at Fiserv, about how an understanding of behavioral risks and mitigation tactics can help prevent end user data loss and theft.
What role does education play in risk mitigation?
Informed users make better decisions. As the last line of defense against cybercrime, end users need to know what creates risk and what doesn’t – and what constitutes acceptable computing practices in your organization. Don’t assume everyone knows how your security structure works and how their behavior can create holes in the system. End users may try to circumvent controls by utilizing websites on the Internet instead of tools that are available on their workstations, not realizing that their actions put confidential information in third-party hands, for instance. These are risks that are often overlooked or misunderstood by an organization.
What’s the biggest risk posed by end users?
Phishing is the root cause of almost every large-scale cybercrime or data breach, and people are highly susceptible to it. For example, Fiserv works with an organization that routinely performs independent test phishing campaigns against small and midsize financial institutions, and finds that nearly 60 percent of end users in these banks and credit unions click through to suspicious links in the test emails. In the real world, this means that each of these users’ workstations may now be compromised by malicious software, which is quite alarming. Education helps users identify external threats − and exercise healthy skepticism when an email doesn’t seem quite right.
Are there other risks?
Data loss occurs when people pull information out of a system, such as proprietary information, intellectual property, or data about clients or consumers and copy or transfer that information to systems or media outside of an organization’s control or on the Internet. If you give users the ability to copy data, they will. Organizations must control where confidential information can and can’t go – a task that’s complicated by the proliferation of mobile devices and apps that are designed to quickly and easily share information. Organizations also face program-based risks that happen when users don’t understand or ignore security policies and standards for how information is securely handled.
If human beings are always a weak spot, can organizations ever be secure?
End users must understand that their online behaviors and decisions can put computing resources and information at risk. As a result, they must be more skeptical, aware and deliberate as they carry out their day-to-day activities. In addition to concerted education efforts, organizations must manage their control environment, implement security controls, and ensure monitoring, detection and oversight capabilities are in place. Beyond following secure computing practices, a security-aware employee knows how and when to report or escalate suspicious situations for further investigation. There will always be an element of human risk to any security protocol, but organizations that work to mitigate that risk will see results.
Learn more about Mike Seifert’s RSA Conference 2014 presentation, "They Did What?! How Your End Users Are Putting You at Risk."