Building Internal Security Compliance Through Behaviour Improvement

The biggest risk - authorised staff

Recent high-profile leaks from sources such as Edward Snowden, WikiLeaks, HSBC, and the New Zealand Police have increased the visibility of security risk from authorised staff. This increase in visibility is highlighted by the latest studies done on the threat landscape by the FBI, Carnegie Melon University, Forrester and Lloyds Risk Register, which show authorised staff to be the leading source of data breaches, with some studies claiming data breaches to be over 70% of the risk faced by companies today. The threat primarily comes from the following user behaviours:

  1. Susceptibility to Social Engineering Attacks. Authorised staff tricked into providing malicious outsiders with access to information or the IT system itself.
  2. Information Theft. Rogue staff stealing information for fraud or to leak to the press, for example, a procurement manager leaking tender specifications to his friend’s company.
  3. Accidental Leakages. Authorised users losing a laptop while travelling, or making mistakes like sending confidential email to wrong recepients.

Currently-available security software has failed to properly address the authorised staff risk.  The general approach has been to install tools designed to prevent unauthorised access, such as anti-virus, firewall, filtering/blocking, SIEM and DLP systems and disk-based encryption, but with little success. The fundamental reason why this approach fails is because the use of sensitive information and IT systems by authorised staff is not a black-and-white issue. Security software products implementing this approach all have the same usability problems:

  • Security is sacrificed for productivity  Over-blocking of sensitive data and IT systems usually results in authorised staff complaining of unproductivity due to restrictions. The end result is usually the removal of blocking, and so security, for the sake of productivity.
  • Lack of data classification – You cannot protect what you do not know – Lack of data classification means that, although the information is being tracked, security personnel do not understand the importance and context of the information. The outcome is that security leaks are not detected even though they are happening in plain sight of the security personnel.
  • No decentralisation of security – New information cannot easily be protected – Security systems rely on a top-down, centralised, rule-based approach to enforcement, whereas real sensitive information is created daily by users in a highly-decentralised, unstructured manner. Centralised rules do not get updated fast enough to cover this ever-increasing amount of new information. The outcome is that security systems change from preventive systems to reactive systems, used only to discover how the leak occurred after the damage has been done.
 
 

The Solution: e-Safe Compliance – Minimising Security Risks by Modifying End-User Behaviour

e-Safe Compliance uses a fundamentally different approach with regard to those used by existing security software in tackling the authorised staff risk.  The approach is to modify end-user behaviour so the users themselves keep information safe and is based on the following human behaviour improvement principles:

Educate and empower your users Trust them to do the right thing And Verify their actions


e-Safe Compliance implements the above principles using a bottom-up (rather than top-down) approach by educating the end-users first, then providing them with the necessary tools to protect sensitive information and, finally, to audit protection of usage-sensitive information.

The following sections detail how these behaviour improvement principals are applied in practise.

1. Educating through instruction and visual cues

e-Safe Compliance educates the users right from the time they log into the PC, through instructions and visual cues. Instructions provide guidance on how to protect sensitive information, while visual cues are present during the creation, use and transfer of sensitive information.
e-Safe Compliance has a built-in Rights Management module, through which sensitive files are encrypted using ‘Universal Encryption’ and restrictions are placed on the use of information contained within the files. Universal Encryption has been specifically designed to target the authorised users. Universal Encryption offers the following advantages:
  1. The encryption is easy to use as it is transparent and automatically applied. Authorised users do not need to enter any passwords or apply any certificate to access the documents.
  2. The encrypted document can only be accessed on PCs having e-Safe agent installed with the relevant permissions.
  3. Documents remain securely protected during any transfer processes. As such, an organisation can allow the use of the any transfer mechanism such as Dropbox, Gdrive, syncing with phones, Skype, Gmail, etc.

Universal Encryption implements visual cues. Icon overlays of different colours are placed on top of files to represent different usage restrictions based on their sensitivity. For example, red-tagged documents are read-only, whereas amber-tagged documents are editable but only if a reason is provided. (These visual cues not only guide users as to the restrictions imposed, but also remind them that the information in the files is sensitive and needs to be handled with care.)


In addition to usage controls, e-Safe Compliance also applies access controls to files to prevent unauthorised access of the information within the organisation. If a file is inaccessible to a user, then a lock icon is shown on top of the file.

2. Trusting the user and seeking feedback

Traditional security systems either allow or block sensitive information. Restricting file usage prevents users from doing their job, while just monitoring information usage results in the reviewing of a large number of incidents. e-Safe Compliance takes a third approach. It allows users to remove restrictions but requires them to provide a reason for doing so. When the user gives a reason, he knows this information is being monitored and he makes a conscious decision on the use of this information and takes responsibility. The reasons provided are further used to better understand and classify the sensitive information.

3. Decentralised information classification and monitoring

e-Safe Compliance’s bottom-up approach empowers and encourages the information owners (usually heads of department, but they could be any end-users responsible for creating or curating sensitive information) to classify, protect and monitor information usage themselves. This is made possible via e-Safe Compliance’s decentralisation of security management.
Information owners can apply Rights Management to files on their PC or within network/shared drives simply by right-clicking on the files/folders and selecting the sensitivity level of the files along with who can access the files. Files on other PCs and servers within the organisation can be protected using the e-Safe Compliance Information Tagging utility. This utility allows easy creation and testing of rules (through analysis of sample files where appropriate), which are then applied globally within the organisation.


Potential security leak incidents associated with the protected files and rules created by an information owner are verified by that information owner, as well as security personnel, using the e-Safe Information Security Workflow. As the information owners have a good understanding of the people using the information, the operational circumstances and what constitutes misuse of the information, they are able to identify serious misuse of information accurately. The involvement of the security personnel within the workflow keeps the information owners honest.

4. Centralised compliance and analysis

Within e-Safe Compliance, the role of the security personnel changes from being solely responsible for protecting against security breaches to one in which they assist information owners in applying security controls and verifying that the incidents are correctly audited. However, as security personnel are still responsible for compliance across the organisation, e-Safe Compliance offers extensive support facilities to central administrators, which include definition of rules, user profiles and groups, specification of monitoring and encryption policies, scanning and protecting different information stores, and compliance reporting. These facilities enable the security personnel to have complete visibility and control of where information is stored, along with the ability to monitor all forms of communication media such as emails, social media, cloud-based services, websites, chat applications, offline applications, etc.
One example of this centralised monitoring is e-Safe Compliance’s user behaviour analysis module that detects users that are potential security risks before leaks occur. The system automatically builds a profile of each user’s normal activity, and alerts security personnel to anomalies such as unusual transfers or consolidation of data or unusual after-hours activity.

5. Continuous compliance through behaviour improvement

e-Safe Compliance’s bottom–up approach to security, implemented using behaviour improvement principles, enables organisations to tackle the authorised staff risk and ensures continuous compliance. The involvement of information owners ensures that the security is intertwined with the working culture of the entire organisation. Furthermore, it allows security professionals the means to measure compliance levels and continuously improve security through the internal security improvement framework.
This framework provides a basis for gap analysis, related to data and information security in organisations. These analyses are conducted through centralised enforcement of security rules. On the basis of the results, awareness campaigns and trainings are conducted to educate users. With the passage of time, users will start protecting sensitive information at source in a decentralised manner and those users who have the role of Information Owners will start getting reports for review on any potential incident of data or information leak.

INTERNAL SECURITY IMPROVEMENT FRAMEWORK

 

We usually find at least 1 confirmed data leak per 100 users.

Discover how much of your data is at risk, for free, within just a couple of hours!