Organizations tend to worry about security based on thoughts of Ninja Blackhats doing the technical equivalent of rappelling through the roof of Fort Knox and running off with several billion dollars’ worth of gold bullion. In technical terms, the Ninja Blackhat manages to bypass security and makes good their escape with the organization’s intellectual property and personally identifiable information.
However, it is far more likely for the average organization that the aggregate financial loss to them will be through the equivalent of lots of individuals losing their change down the back of the sofa. It is not the targeted, malicious attacks that matter but the drip, drip, drip of accidental information loss through emails being sent through to the wrong person, information accidentally escaping through social media outlets or loss of end-user devices where the problem lies. Unfortunately, these sorts of issues can often be traced back to the “One Born Every Minute” (OBEM) employee.
The issue is — how best to deal with this?
1) Educate: the new employee is coming in from a world where exchange of information at most levels is a given — amongst friends and even to unknown people. Organizations have a responsibility to educate their employees in issues that matter to everyone. Information loss is not just embarrassing — it impacts the performance of the organization, and could make it that the individual’s job is under pressure due to the poor performance of the company.
2) Centralize: BYOD is pretty much a given, now. To get around this, centralizing desktops to a server-based approach can be used to reduce the chance of company data ending up stored on personal devices. This also means trying to ensure that everything the employee needs is also centralized — use of enterprise equivalents of app-based software that is just as easy to use (for example, using Box instead of Dropbox). The desktop can then be run in a sandboxed environment, giving much greater levels of control.
3) “Open” access: employees will use social media no matter what you do. You cannot block them, so you have to embrace them. Let them use the tools — based on the general guidelines you will have provided them with in step 1.
But this is where the “OBEM” comes in. No matter how much education you do, you will come up against this type of employee. You know the sort — a bit ditzy, tends to flap around a bit having pressed “send” on the email when they shouldn’t have done, or spends the first half hour of the day worrying about “that” text they sent last night. Education isn’t too good with them — it tends to be in one ear, rattle around and drip out the other ear without much having been taken in. Therefore, we need the next step:
4) Information Management Technology: use data leak prevention (DLP) tools to be able to recognize when something is happening that shouldn’t be. Use hard blocks or advisory messages (the CEO tends to get upset if you directly block them from doing something — let them know, nicely, that what they are about to do is being logged), but stop whatever you can. Centralizing through server-based desktops with all the tools an employee could want gives you enough control over their day work to be able to mitigate the number of possible issues.
This then leaves the final step:
5) Nuclear deterrent: which is really about dealing with those who have managed to get through all the above. In most cases, this will no longer be “accidental” — we are in the world of “malicious” or “stupid” now. It has to be in the terms of employment and the contract of work that should someone share or otherwise divulge data from the organization that is valuable or could damage its reputation, it is a disciplinary matter that could result in termination of employment.
It is unfortunate that OBEM actually seems to be moving more towards OBES — one born every second. No single approach will help in dealing with the problems of information security: a blended approach including the five steps above is required.