Forensics and eDiscovery company CY4OR has a timely article on its blog reminding us that a company’s employees are often the weak spot in its security systems. The article, Employees are the largest risk to an organisation’s IT security, refers to recent reports by PwC and Verizon and to the government’s Cyber Security Strategy.
Recent press articles have given the impression that the focus of this strategy is protection for the Olympic Games from both fraud and terrorism. That makes a good headline, but the Cyber Security Strategy has deeper purposes than the protection of a single event, not least because civil servants seem more adept than others at mislaying data.
As with electronic discovery and other data-related matters, the services available from companies like CY4OR include both reactive and, more usefully, proactive advice. The reactive side includes, for example, the prompt examination of a laptop went which went missing briefly from a financial institution, a loss which would have triggered major notification and reporting implications if CY4OR had not been able to confirm very quickly that the laptop had not been used whilst AWOL – I wrote about that here. Such one-off exercises come in addition to the more usual eDisclosure reactions where potentially disclosable data must be collected from a range of sources and devices; CY4OR does this as well through its partnerships with Clearwell and Nuix – see their eDisclosure site here.
The CY4OR article is more concerned with anticipation and prevention of IT security issues with vulnerability assessments and penetration testing. That, as the article implies, goes beyond mere technology and into the assessment and management of risk, compliance with policies or regulatory requirements, and security audits.
In many ways, the human element is harder to manage than the IT infrastructure and processes. Companies are learning to watch out for the employee who never takes long holidays for fear that wrongdoing is discovered in his or her absence, for example. Some employees have motives which appear obvious only in retrospect – an expensive lifestyle to maintain, debts to pay or a grudge against the company. It is not necessarily easy to restrict the scope for misfeasance without implying mistrust of the entire workforce.
It is easy, too, to lose sight of more mundane risks whilst focusing on the next generation of cyber criminals. I recall an article from the early days of office computers which described a demonstration of the technology defences then available. Whilst all eyes were on the boxes, wires and screens in the meeting room, the security company’s boss quietly lifted papers from the managing director’s filing cabinet. The MD was not particularly pleased at first, but recognised that there were basic precautions to take as well as the more sophisticated ones.
The story illustrates the range of skills and ideas which can be brought to bear on a company’s security risks by those who have seen it all before. One of the reasons why it can be sensible to employ a forensic expert to collect clients’ data is that you can expect them to do more than merely plug their data capture devices into the network. A more rounded approach comes with the vulnerability assessments to which CY4OR refers.