What Your Information Security Policy is Missing: The Human Side

Human error is the single greatest point-of-failure when it comes to information security risks. Proofpoint research indicates that URL-based attacks have given way to social engineering and "constantly evolving" campaigns that "deliver malware payloads." Today's most effective cyber criminals are aware of the fact that humans often act as the most vulnerable gatekeepers to an organization's network. Symantec Research indicates that over the past month alone, 19.2 new variants of malware were detected and 1 in every 125 emails contained malware.

Why People are an Information Security Risk

Mimecast writes that targeting humans as an information security vulnerability "just makes economic sense." When cyber-criminals invest "a little time in social engineering" to develop malware-laden messages that appeal to the recipient, their payoff can be immense. Modern IT managers should pay close attention to the role of human error and risk in information security over the months and years to come. In this blog, you'll learn how to improve your PCI-DSS compliance efforts and information security policies in light of this recent trend.

Educate Your People

PCI Requirement 12.6 requires organizations to perform ongoing information security education efforts. If your training programs have an actual impact on human behavior, they can mitigate risks in the enterprise. The leading organizations are 70% more likely to invest in end-user awareness programs.

Half of the worst cases of security breach are caused by human error, and there's evidence to support that security education simply isn't effective unless it teaches your employees how to behave. Your employees need more than information about the latest risks or details on how a data breach might affect the organization. They need the knowledge tools to make the right, risk-averse decisions at all times.

An annual, four-hour training on security risks may not lead to much knowledge retention over time. Instead, CSO recommends "training in context" through ongoing exercises and activities year-round. By launching fake phishing attacks or other internally-based penetration testing exercises, your employees can develop the contextual knowledge for how to act on a day-to-day basis.

Place the Responsibility on Your Talent

Even IT professionals are often guilty of some of the riskiest security behaviors. One of the most concerning studies in recent months indicated that 52% of IT employees share passwords, even with external contractors. Seventy-four percent believe their organizations could do a better job at monitoring access. In addition to awareness training and exercises, leadership must work to place the responsibility of data protection on employees' shoulders.

Information security isn't an IT-based effort. It's a company-wide effort that can flounder without organizational support. It's clear from both PCI guidelines and experience that these efforts should begin in the C-Suite, and start at the time of hiring new talent. PCI Requirement 12.7 requires that new hires be screened, which can include credit checks and background checks to reduce the risk of internal theft. Requirements 12.3 and 12.4 address the need for clear policy and guidelines around usage.

Making the shift to a culture of security responsibility will require collaboration between IT and HR, as well as other functions within the organization. The responsibility to protect information should be added to position descriptions, employee onboarding processes, and routine training. By using policy and awareness programs to make it clear that everyone is responsible for protecting sensitive data, IT managers can work towards a culture in which everyone owns risk mitigation.

Enforce Unique User IDs

Without unique User IDs and effective passwords, IT managers and forensics experts can struggle to identify the source of a data breach post-attack. PCI Requirement 8.1 specifies unique user IDs, which are a crucial aspect of effective access governance.

In addition to the technical infrastructure necessary to support the creation and tracking of unique user credentials, comprehensive policy is critical. Your user policies must address password changes on a regular basis, forbid the use of default passwords, and specifically forbid users from sharing credentials.

Invest in the Right Tools

Awareness, education, and access governance are only three components of mitigating human risk. Using the right technologies can allow organizations to monitor access among employees at all levels, including administrators. PCI Requirements 10.6 and 11.5 recommend the daily review of log files and the implementation of file integrity monitoring software. Reviewing network activity and user logins can allow organizations to quickly detect unauthorized access and mitigate the risk of attacks in real-time.

Agent-based file integrity monitoring software can allow administrators to monitor real-time risks throughout the entire network, including on company-issued laptops and mobile devices. While PCI requirements require that critical files be scanned on a weekly basis, exceeding this requirement with real-time integrity monitoring tools can significantly mitigate the impact of human risks.

Human behavior is likely to continue to be one of the most significant sources of information security threat in the enterprise. Innocent mistakes can result from education and awareness failures and a lack of contextual knowledge for how to behave. By creating a comprehensive security policy and implementing the right technical safeguards in compliance with PCI requirements, organizations can significantly decrease their insider threats.

For more information on CimTrak, a best-of-class option for real-time agent-based file integrity monitoring to reduce insider threats in your organization, click here to launch your free trial, or download our solution brief to learn more today.

Get the free solution brief and get compliant with PCI DSS today.

 

Topics

Jacqueline von Ogden

Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".