Safeguarding your most valuable assets – your people

Daniel Hayes Head of Cybersecurity Linkedin Profile
Safeguarding your most valuable assets – your people

It’s interesting to note that research suggests that up to 85% of security incidents or breaches start with a person. And with that, it’s no surprise that the largest types of data being targeted are credentials and personal data.

That’s alarming, right? It’s not just people and our actions who may be causing or enabling breaches, it’s information about us that is the target of the breach – specifically, information on who we are and how we use our system – our identity and credentials. When successfully obtained, the attackers look to re-use the information to access their target systems and launch an attack.

This is what gives rise to the often quoted line that “Attackers don’t break in: they log in”.

Now, nobody wants to find themselves in the position where they’ve been breached, through any means. So let’s look at some things we should do in order to lessen the chances of this happening, focusing on People and Identity.

While it’s undeniable that People, the identities they’re assigned, and the credentials they use to gain access to systems are intertwined, we should consider them separately, as well as together.

An engaging Security Awareness program

While few people get excited about doing security awareness training, the reality is that people are the first line of defence and often the weakest link. We can put robust technology in place at the perimeter and on our devices, but attackers will try to bypass those and get inside the network through the softest target in the organisation. If people are not prepared to identify and react properly to an attempted attack, it’s a hole in your defences that is challenging to block. If a user can be tricked into providing access by disclosing information or allowing some other form of entry, we’re playing catchup.

A well-planned, organised, and executed training and awareness program can arm users with the knowledge needed to detect and react the right way, which dramatically improves an organisation’s resilience. Our people can become a strength, rather than a weakness.

The program shouldn’t just be about forcing users to watch presentations and then answer a series of questions though. Users will switch off and the training becomes ineffective. Rather, in addition to the training needing to be engaging – a combination of static and video-based content, for example – studies have shown that actively assessing and measuring how well people react to a range of tests, then responding to their behaviours through an immediate learning and reinforcement opportunity, can significantly improve their resilience.

It’s also tempting to think of security awareness training as just being about educating people on what a phishing email looks like. I won’t deny that this is a critical part – but a thorough program will cover a range of security topics: passwords, portable and BYO devices, removable storage, shadow IT, web safety, physical security, and so on.

Overall, then, the aim of a security awareness training program is to improve the front-line of your organisation’s defences – your people, by engaging, educating, testing, and measuring the results in order to continually improve their ability to protect the most critical asset – your data. When selecting a technology and delivery partner for this, make sure all aspects are addressed.

Identity Management

Now that we’ve tackled supporting our people by giving them the knowledge to avoid being tricked into sharing information or access, let’s move on to how we can help them securely manage that information, so that it’s not available to attackers through means beyond their control.

While a well designed and implemented identity management solution can have significant operational benefits (reduced duplication, easier integration, less time wastage, etc.), it is more importantly, a key element in an organisation’s security posture, addressing risk and improving the security outcome. Importantly – in the context of this article, we’re using the word “identity” exclusively to describe a user or a user’s account. We’re not talking about the identities of applications, systems, and other interconnected pieces – not that these are less critical, just that we’ll get to those in a future edition.

1. Centralise your identity stores.

Wherever possible, making sure that there is just one “source of truth” when it comes to storing and maintaining information on people, their identities, and their credentials, and how those things are used, reduces the chances of that data being manipulated or breached. Secondary or duplicate storage areas give rise to stale data, which can fly under the radar of awareness and quickly become a weakness in your security posture. Information that is not being kept up to date can easily be excluded from important security checks, and even data that is maintained but done so manually has the potential to be missed.

Centralised and automated data is more likely to be current and protected and reduces the chance of orphaned repositories and simple authentication, which can often eventuate due to people becoming lazy when they need to manage data in multiple locations.

Core systems such as Microsoft’s AD and Azure AD are increasing their capabilities to be used in this capacity, but for more complex requirements there are many other technology options in the market – ranging from specialized identity stores, to solutions which encompass the full identity, privilege, authentication, and access range of requirements.

2. Multi-Factor Authentication (MFA)

MFA is one of the most effective ways to protect against unauthorised access to your organisation’s valuable information and accounts, typically requiring a combination of something the user knows (pin, secret question), something you have (card, token) or something you are (fingerprint or other biometrics). The added layers of multiple proofs of information make it more difficult for attackers to gain access.

Another branch of MFA is Adaptive Authentication, which looks at the behaviour of a user when authenticating and analyses the context to understand the level of risk associated with the login attempt. For example, the time and location of the login or the network and device that is being used. Conditional Access Policies, deployed as part of Microsoft’s identity and access suite is a great example of how this can work in conjunction with MFA policies to apply a robust yet secure solution.

Supporting your people by equipping them with the right knowledge and awareness around cybercrime is vital, but it must be bolstered by a dependable set of technology-based checks and balances. Cyber criminals make it their business to invent new ways to confuse and manipulate users, therefore ensuring you have these critical programs and security systems in place will reduce your organisations risk and bring confidence to your people and customers.

Join us on social

Get in touch

Tell us what you need help with, and we’ll send the right expert your way.