Often the most vulnerable aspect of your enterprise is not your technology systems, instead it’s the weaknesses introduced by staff that are often the hardest to find yet the most harmful. Your staff might be simply unaware of what their security obligations are, or they might be complacent about security controls or internal procedures because they don’t see their worth. This lack of awareness or complacency can leave staff susceptible to social engineering, which clever fraudsters will leverage to further their own ends. Furthermore, there is one more group of internal workforce threat actors you’ll need to consider, although this is the group that most management types don’t want to acknowledge the existence of: corrupt employees. These are the guys who hold a grudge against your company, or have some kind of personal vulnerability that can leave them open to attack. This kind of threat is categorized as the “ insider threat .” That’s what the essence of this chapter focuses on: how the security manager can integrate mitigation strategies into the information security management systems to counteract some of these insider threats, while building a workforce culture that is aware of the threats and knows their obligations.
We’ve all seen how enterprises protect their network perimeters and information systems, using technology such as firewalls, content checkers, intrusion prevention systems, proxy servers and event management systems to detect, alert, and respond to attacks. Your end user computing platforms (workstations, laptops, and tablets) are protected with anti-malware software suites that are configured to audit and alert the security team when a threat or anomalous behavior is detected. Complimentary technical controls , such as application whitelisting will prevent users from running malware (either accidentally or maliciously) on your most vulnerable systems, while a sound approach to patching systems and applications will ensure that new vulnerabilities are not exploitable. You’ll more than likely have a good backup solution that allows you to recover systems that have been corrupted, while your corporate access control systems will ensure that users can only get to the information they need, while delegating only the appropriate rights for administrators to prevent them from being your biggest threat. However, even with all of this technology and process-related security, there is one thing that is certain: your people will be the attackers’ primary target. Humans really are the weakest link in every single reported incident, with publicized breaches having some common component of user mistake, malicious intent, or cavalier approach to corporate processes and procedures.
Unfortunately, every technical system, no matter how well you have designed its core security capabilities, is prone to exploitation if the people using it or managing it make mistakes. As an information security manager, you need to consider the workforce you are trying to secure as just another business asset that needs to be considered when you are building your protection mechanisms . People, like computer systems, have their own innate weaknesses (vulnerabilities) and are subject to threats and attacks just like anything else. However, there are a couple of added complications, unlike IT systems, people can make mistakes and pretend to be on your side, even when they are not.