Building Internal Security Compliance Through Behaviour Improvement
The biggest risk - authorised staff
- Susceptibility to Social Engineering Attacks. Authorised staff tricked into providing malicious outsiders with access to information or the IT system itself.
- Information Theft. Rogue staff stealing information for fraud or to leak to the press, for example, a procurement manager leaking tender specifications to his friend’s company.
- Accidental Leakages. Authorised users losing a laptop while travelling, or making mistakes like sending confidential email to wrong recepients.
Currently-available security software has failed to properly address the authorised staff risk. The general approach has been to install tools designed to prevent unauthorised access, such as anti-virus, firewall, filtering/blocking, SIEM and DLP systems and disk-based encryption, but with little success. The fundamental reason why this approach fails is because the use of sensitive information and IT systems by authorised staff is not a black-and-white issue. Security software products implementing this approach all have the same usability problems:
- Security is sacrificed for productivity – Over-blocking of sensitive data and IT systems usually results in authorised staff complaining of unproductivity due to restrictions. The end result is usually the removal of blocking, and so security, for the sake of productivity.
- Lack of data classification – You cannot protect what you do not know – Lack of data classification means that, although the information is being tracked, security personnel do not understand the importance and context of the information. The outcome is that security leaks are not detected even though they are happening in plain sight of the security personnel.
- No decentralisation of security – New information cannot easily be protected – Security systems rely on a top-down, centralised, rule-based approach to enforcement, whereas real sensitive information is created daily by users in a highly-decentralised, unstructured manner. Centralised rules do not get updated fast enough to cover this ever-increasing amount of new information. The outcome is that security systems change from preventive systems to reactive systems, used only to discover how the leak occurred after the damage has been done.
The Solution: e-Safe Compliance – Minimising Security Risks by Modifying End-User Behaviour
Educate and empower your users Trust them to do the right thing And Verify their actions
e-Safe Compliance implements the above principles using a bottom-up (rather than top-down) approach by educating the end-users first, then providing them with the necessary tools to protect sensitive information and, finally, to audit protection of usage-sensitive information.
The following sections detail how these behaviour improvement principals are applied in practise.
1. Educating through instruction and visual cues
e-Safe Compliance has a built-in Rights Management module, through which sensitive files are encrypted using ‘Universal Encryption’ and restrictions are placed on the use of information contained within the files. Universal Encryption has been specifically designed to target the authorised users. Universal Encryption offers the following advantages:
- The encryption is easy to use as it is transparent and automatically applied. Authorised users do not need to enter any passwords or apply any certificate to access the documents.
- The encrypted document can only be accessed on PCs having e-Safe agent installed with the relevant permissions.
- Documents remain securely protected during any transfer processes. As such, an organisation can allow the use of the any transfer mechanism such as Dropbox, Gdrive, syncing with phones, Skype, Gmail, etc.
Universal Encryption implements visual cues. Icon overlays of different colours are placed on top of files to represent different usage restrictions based on their sensitivity. For example, red-tagged documents are read-only, whereas amber-tagged documents are editable but only if a reason is provided. (These visual cues not only guide users as to the restrictions imposed, but also remind them that the information in the files is sensitive and needs to be handled with care.)
In addition to usage controls, e-Safe Compliance also applies access controls to files to prevent unauthorised access of the information within the organisation. If a file is inaccessible to a user, then a lock icon is shown on top of the file.
2. Trusting the user and seeking feedback
3. Decentralised information classification and monitoring
Information owners can apply Rights Management to files on their PC or within network/shared drives simply by right-clicking on the files/folders and selecting the sensitivity level of the files along with who can access the files. Files on other PCs and servers within the organisation can be protected using the e-Safe Compliance Information Tagging utility. This utility allows easy creation and testing of rules (through analysis of sample files where appropriate), which are then applied globally within the organisation.
Potential security leak incidents associated with the protected files and rules created by an information owner are verified by that information owner, as well as security personnel, using the e-Safe Information Security Workflow. As the information owners have a good understanding of the people using the information, the operational circumstances and what constitutes misuse of the information, they are able to identify serious misuse of information accurately. The involvement of the security personnel within the workflow keeps the information owners honest.
4. Centralised compliance and analysis
One example of this centralised monitoring is e-Safe Compliance’s user behaviour analysis module that detects users that are potential security risks before leaks occur. The system automatically builds a profile of each user’s normal activity, and alerts security personnel to anomalies such as unusual transfers or consolidation of data or unusual after-hours activity.
5. Continuous compliance through behaviour improvement
This framework provides a basis for gap analysis, related to data and information security in organisations. These analyses are conducted through centralised enforcement of security rules. On the basis of the results, awareness campaigns and trainings are conducted to educate users. With the passage of time, users will start protecting sensitive information at source in a decentralised manner and those users who have the role of Information Owners will start getting reports for review on any potential incident of data or information leak.
INTERNAL SECURITY IMPROVEMENT FRAMEWORK