Human error is the single greatest point of failure when it comes to information security risks. Proofpoint research indicates that URL-based attacks have given way to social engineering and "constantly evolving" campaigns that "deliver malware payloads." Today's most effective cybercriminals are aware of the fact that humans often act as the most vulnerable gatekeepers to an organization's network. Symantec Research indicates that over the past month alone, 19.2 new variants of malware were detected and 1 in every 125 emails contained malware.
Why People are an Information Security Risk
Mimecast writes that targeting humans as an information security vulnerability "just makes economic sense." When cyber-criminals invest "a little time in social engineering" to develop malware-laden messages that appeal to the recipient, their payoff can be immense. Modern IT managers should pay close attention to the role of human error and risk in information security over the months and years to come. In this blog, you'll learn how to improve your PCI-DSS compliance efforts and information security policies in light of this recent trend.
Educate Your People
PCI Requirement 12.6 requires organizations to perform ongoing information security education efforts. If your training programs have an actual impact on human behavior, they can mitigate risks in the enterprise. The leading organizations are 70% more likely to invest in end-user awareness programs.
Half of the worst cases of security breaches are caused by human error, and there's evidence to support that security education simply isn't effective unless it teaches your employees how to behave. Your employees need more than information about the latest risks or details on how a data breach might affect the organization. They need the knowledge and tools to make the right, risk-averse decisions at all times.
Annual, four-hour training on security risks may not lead to much knowledge retention over time. Instead, CSO recommends "training in context" through ongoing exercises and activities year-round. By launching fake phishing attacks or other internally-based penetration testing exercises, your employees can develop contextual knowledge of how to act on a day-to-day basis.
Place the Responsibility on Your Talent
Even IT professionals are often guilty of some of the riskiest security behaviors. One of the most concerning studies in recent months indicated that 52% of IT employees share passwords, even with external contractors. Seventy-four percent believe their organizations could do a better job at monitoring access. In addition to awareness training and exercises, leadership must work to place the responsibility of data protection on employees' shoulders.
Information security isn't an IT-based effort. It's a company-wide effort that can flounder without organizational support. It's clear from both PCI guidelines and experience that these efforts should begin in the C-Suite, and start at the time of hiring new talent. PCI Requirement 12.7 requires that new hires be screened, which can include credit checks and background checks to reduce the risk of internal theft. Requirements 12.3 and 12.4 address the need for clear policy and guidelines around usage.
Making the shift to a culture of security responsibility will require collaboration between IT and HR, as well as other functions within the organization. The responsibility to protect information should be added to position descriptions, employee onboarding processes, and routine training. By using policy and awareness programs to make it clear that everyone is responsible for protecting sensitive data, IT managers can work towards a culture in which everyone owns risk mitigation.
Enforce Unique User IDs
Without unique User IDs and effective passwords, IT managers and forensics experts can struggle to identify the source of a data breach post-attack. PCI Requirement 8.1 specifies unique user IDs, which are a crucial aspect of effective access governance.
In addition to the technical infrastructure necessary to support the creation and tracking of unique user credentials, a comprehensive policy is critical. Your user policies must address password changes on a regular basis, forbid the use of default passwords, and specifically forbid users from sharing credentials.
Invest in the Right Tools
Awareness, education, and access governance are only three components of mitigating human risk. Using the right technologies can allow organizations to monitor access among employees at all levels, including administrators. PCI Requirements 10.6 and 11.5 recommend the daily review of log files and the implementation of file integrity monitoring software. Reviewing network activity and user logins can allow organizations to quickly detect unauthorized access and mitigate the risk of attacks in real-time.
Agent-based file integrity monitoring software can allow administrators to monitor real-time risks throughout the entire network, including on company-issued laptops and mobile devices. While PCI requirements require that critical files be scanned on a weekly basis, exceeding this requirement with real-time integrity monitoring tools can significantly mitigate the impact of human risks.
Human behavior is likely to continue to be one of the most significant sources of information security threats in the enterprise. Innocent mistakes can result from education and awareness failures and a lack of contextual knowledge of how to behave. By creating a comprehensive security policy and implementing the right technical safeguards in compliance with PCI requirements, organizations can significantly decrease their insider threats.
For more information on CimTrak, a best-of-class option for real-time agent-based file integrity monitoring to reduce insider threats in your organization, click here to launch the instant preview, or download our solution brief to learn more today.
April 21, 2016