This week it was reported by The Telegraph that GCHQ had warned firms that employees are the ‘weakest link in the security chain.’
In order to secure the threat posed by employees, GCHQ advised firms to remove all company smart devices and memory sticks from the hands of employees. In addition to this, the government spy agency advised that staff should only be allowed to access trusted wi-fi networks and continually ensure that browsers are updated.
But how practical is this advice in the age of the mobile workforce? Industry experts were unanimous in their appraisals of GCHQ’s advice, branding it impractical and extreme. So what do the experts advise when addressing the cyber threats posed by employees? CBR asked security experts their take on GCHQ’s advice and what enterprises really should be doing in order to protect against cyber threats.
1. "Weigh the risk of using the technology with the business benefit it offers."
Russell Miller, ex-ethical hacker & current director in the IAM business at CA Technologies, commented:
"Before banning any technology, smart organisations weigh the risk of using the technology with the business benefit it offers. The productivity and value smart phones offer a business may not justify banning them, especially when there are solutions and technologies to protect the data on them and their use.
"In fact, the threats from the inside haven’t changed that much over the years. What has changed is an organisations ability to manage that insider threat by controlling and monitoring user activity, access and what they can do with the information they touch."
2. "Everyone in the organisation must know what a hack looks like."
AVG Technologies’ Chief Technology Officer, Yuval Ben-Itzhak, said:
"The phrase ‘a bad workman always blames his tools’ is a well-known excuse in many circles. It’s no different in the security industry – as GCHQ have highlighted this week. The truth is, this is exactly right.
"When we look back over the biggest breaches organisations have had to deal with in recent years, it’s usually been the person behind the machine that has enabled the hackers to step in. Emails leading people to take a particular action exposing the network without them being aware is the first step in many of these hacks.
"Certain employees within an organisation have been identified as ‘easy targets’ for hackers – those most likely to unwittingly let a hacker into their mix. Surprisingly, these employees tend to be members of HR or finance departments, who tend to be less aware of ‘hacker tactics’ than the rest of the company.
"Assuming IT security is already in place and being monitored, the most important action for businesses to take is educating all their staff about the security risks facing their business. Everyone in the organisation must know what a hack looks like, what they should be looking out for and the consequences of what can happen when a business falls victim to hacking."
3. "IT professionals should look to consider security from a user perspective."
Terry Greer-King, director of cybersecurity at Cisco UKI told CBR:
"Securing networks and devices will only carry an organisation’s defences so far, a crucial next step is to also take employees with you by building security into the very processes of a business.
"Increasingly an organisation’s own staff are unwitting players in cyber-attacks, either by a lack of awareness or sense of responsibility at the individual level. Recent research from Cisco has revealed that employee behaviour is perceived as the second greatest source of risk to data security – second only to cybercrime at 52 and 60 per cent respectively.
"With this in mind, IT professionals should look to consider security from a user perspective, both as a user and securing users rather than devices, while business leaders need to acknowledge that they work with ‘humans’. Through an educational approach they need to be made aware, adapt and learn new behaviours.
"Critically, security protocols must be developed with the user in mind. Thirteen percent of UK employees believe security protocols inhibit their ability to get their jobs done to the point where four per cent will even go so far as to actively circumvent their organisation’s security policies.
"By identifying different profiles of user behaviours, specific approaches in order to limit the risk posed can be developed without impinging on an employees’ freedom to perform and provide the flexibility to work productively and as required. This can involve establishing more user-friendly policies which don’t force employees to work around rigid tools that impede their workday.
4. "User education is also vital, especially around social engineering."
Eoin Hinchy, Director of Information Security at DocuSign, commented:
"There is little, practical alternative than for employers to trust their employees. As a result, it’s key for employers to realise that staff are often a weak link and ensure that appropriate controls are put in place to remediate any weaknesses.
"Businesses must ensure security mechanisms exist that provide a balance of usability and security. For example, where possible, implement one-time passwords to prevent the reuse of passwords or the dreaded post-it notes under keyboards.
"User education is also vital, especially around social engineering. Employees should know how to spot phishing emails and who to contact in their organisation if they notice suspicious activity. Every individual is a potential way into an organisation for cyber criminals so organisations must ensure that all employees are as security conscious as possible."
5. "Turn the weakest link in to gatekeeper."
Andy Kemshall, Co-Founder and Technical Director at SecurEnvoy said:
"Whilst good intentioned, the advice issued by GCHQ for businesses to strip employees of company smart phones to protect themselves from cyber-attacks is both impractical and extreme. The belief that employees aren’t capable of being trusted to keep their part of the security bargain is outdated, with the days of staffers having their password noted down on Post-it notes stuck to their monitors long gone. Most are now used to undertaking their banking, shopping and multiple daily social interactions online, so are well aware of the dangers of bad password management and endpoint security even if it’s on a subconscious level.
"The industry catalyst to this movement has been the emergence of two-factor authentication (2FA), an extra layer of security that requires not only a username and password, but also something that only the user has on them (i.e. a physical token) to generate a one-time passcode.
"Staff are only the weakest link in the security chain if we allow them to be. If businesses empower their staff and give them the proper education they will find they will turn from the weakest link to a corporate gatekeeper."