Security breaches expose millions of consumers to identity theft every year, making this a particularly rampant form of IT-related failure. A new study pinpoints human error as the primary cause and offers recommendations for creating and enforcing usable policies.
A research report sponsored by security solution provider, Clavister, affirms the view that workers cause most security problems by ignoring established policies:
86% of all IT directors polled believed that the most likely cause of an IT security issue came from their own employees. The reasons for this were down to staff ignoring, not being made aware of or not being sufficiently trained on security policies, as well as making mistakes or committing industrial espionage.
Clavister recommends the following advice for making sure you write clear security policies, implement them consistently, and then conduct rigorous follow-up monitoring:
Design the policy so that it's easy to read and understand. Do not make it too complicated and technical. Use examples demonstrating each point.
Educate the users about the policy. It is absolutely key that they understand why rules are needed and what it means to them both personally and in their job.
Enforce consequences. Users who do not comply to the policy must face consequences.
Make it easy to do the right thing. Do not just make a web policy which states that something is forbidden; implement a content filtering gateway, for example, which makes it impossible to do the wrong things.
Dictate a hierarchy of access permissions. Grant users access only to what is necessary for the completion of their work.
Monitor & improve. Monitor the policy compliance using both security information and event management systems as well as manual spot checks. Don't be afraid to update your policy, it's a living document. If users don't understand, give more examples. If it's difficult to comply, find new support technologies, they are there to help you.
My take. The survey offers a great reminder on an important topic, but doesn't break substantial new ground. For example, I previously wrote about two 2007 studies examining the relationship between human error and security breaches:
Based on these reports, it’s clear the vast majority of data breaches are caused by human error: data custodians inadvertently leaving files exposed to search engines, or else losing storage media (and laptops) containing secure data.
It’s tempting to believe that security data breaches result from the hands of evil hackers, secretly using advanced techniques to pry into sensitive and well-guarded computers. Unfortunately, the reality is that most breaches are caused by plain old carelessness.
Although these lessons aren't new they do remain important. The proliferation of online technology magnifies the impact of security mistakes, where errors can hurt literally millions of innocent victims. That's sufficient reason to take this issue seriously.