In this week’s Cyber Risk Report, we noted a recent article on CSO Online that mentions a rise in internal security incidents that are caused unintentionally or non-maliciously by employees. Employees, especially younger ones that have a lifelong connection to computers and the Internet, are becoming more involved with technologies and Internet resources in the workplace. As a result, companies are finding that their security policies, and in some cases their perimeters, are being breached by workers who are determined to access files, media, websites, or communities that are considered off-limits. Organizations and their security teams are challenged by the rise in disobedience and disdain for established policy. How can they be stopped?
They can’t.
User access control is a grand paradox for computer security. Data is useless without access, and access is impossible without some user to control a system or at least to maintain it. Wherever there is human interaction with a computer, there is a potential for the user to bend, stretch, or break their permissions to do things that they are not supposed to do. Technical controls can certainly be established, but even the most stringent controls like DRM can be broken. Portable electronics are growing smaller every day, and cell phones are some of the most versatile pieces of equipment for a determined attacker. Cameras, Internet access, and even custom applications make today’s phones a nightmare for a controlled environment. And even low-tech attacks like remembering information and writing it down on paper can cause information to leak out of an organization. There is simply no way to stop a user from abusing their rights.
Controls for human factors, therefore, are not rigid like technical controls. Organizations must set boundaries and guidelines that are not seen as overly restrictive. Any time a user feels as if their purpose (whether their personal goals or their occupational ones) is hindered, there is risk that they will put themselves above the corporation. If an employee in Sales needs to access a video of a competitor’s presentation from a public site that is banned by corporate policy, she might circumvent controls to ensure she can meet her quota. If a network administrator needs to troubleshoot a problem across a range of devices in an area, he might install a rogue wireless access point to connect his laptop to the network in order to make the job go faster and save the company money from his lost productivity.
The best way to ensure that controls are not seen as overly restrictive is to generate awareness and training around them. Whenver possible, not setting arbitrary controls is also effective. Users must understand why they are being denied something that they could see as important to their work, and they must buy into the idea presented by the company. Alternative options will also help employees feel like they have a way to get the required work done without compromising things that the corporation feels need to be strongly protected.
Discipline is also important. Not only must the punishment for infringement fit the infraction, but it must be consistently applied. Nothing irks a subordinate more than to see their superiors able to use political clout to thwart the same controls that they must abide by. Pervasive unfair treatment of security policies can quickly lead to someone breaking the rules just to feel that balance has been restored.
And finally, monitoring and management of information brings a technical control to bear on human problems. Instead of actually limiting use, monitoring just ensures that the right kind of information is flowing, that excessive quantities of data aren’t being shipped to a competitor, or that resources aren’t being hoarded by the videos that are watched by just a few employees. Network situational awareness will lead to an organization that is able to permit actions and monitor them, rather than forbid actions and drive them into dark recesses or side channels that cannot be monitored. Combined with a fair and accessible acceptable use policy, organizations can succeed by cooperating with users instead of working against them.
