Any good insider threat management program focuses on people, process and technology — in that order. That’s why it’s critical to have a system in place to coach employees regularly on how to avoid the simple mistakes that could turn into insider threat incidents. We kicked off our “Coachable Moments” blog series two weeks ago with a piece on cloud storage and remote work, bringing you tips on in-the-moment training for employees.
This week, we’re covering application installs and updates, so your cybersecurity team can ensure that the organization’s software is installed and updated properly — and perhaps more importantly, by the right people. Considering that the average number of credential theft-based insider threat incidents more than doubled in the past two years, it may be high time for a refresher on application security best practices.
Who’s Installing Your Applications?
Analyst firm Gartner predicts that by 2020, one-third of all successful cybersecurity attacks will occur via shadow IT resources. With employees driving the selection of more and more business software applications, a lot of responsibility gets distributed across the organization to individuals who may not have the same general awareness of security protocol as a cybersecurity or IT team member may have.
It may be time to ask, “Who’s installing our organization’s applications, and do they know how to do it properly?” One coachable moment may be to host a “Before You Install” training for new employees, or at regular intervals as a refresher for existing employees. In this session, the cybersecurity team can review the following:
- In-Policy Applications: Detail for employees which technologies are allowed or not allowed at the organization, giving the necessary context and rationale behind these decisions. Allow employees to ask questions about the policy, or ask about the use of specific applications they believe they may need to do their jobs effectively.
- Trusted Applications: Some applications downloaded from the internet may pose a security risk to the organization, giving hackers a front door into corporate systems, and making employees accidental insider threats. Give employees a primer about secure application installation processes.
- Permissions and Proper Use: Many teams limit permissions as to who can install applications, but is it possible that your employees may find these policies limiting, and as a result find workarounds? If you see this trend regularly happening at your organization, find out why. You can also use this time as an opportunity to discuss the policy for information-sharing with outside contractors and other third parties. Again, allow for questions or feedback if the policy seems too restrictive, or if employees’ needs have changed. For some audiences, a session on privileged access management processes and the specific permissions they have within the organization may be a more effective use of time.
- Security Best-Practices: Even though employees may think they have a handle on passwords, research shows that time and time again, password best-practices leave much to be desired. More than half of people admitted to reusing passwords, according to a recent Virginia Tech study. Rather than leave it up to chance, train employees on how to use a single sign-on technology or password manager to prevent user errors that may lead to a credential theft-based insider threat. In addition, require that all user applications are set up with two-factor or multi-factor authentication, to lower the organization’s overall risk of a security incident.
Guilty of Skipping That Update? Try This
If employees at your organization skip application, browser, or operating system updates, it may be time for another coachable moment. According to Bitsight’s research, thousands of companies are running at least 50 percent of their computers with outdated internet browsers, and more than 50 percent of computers are running without updated operating systems. The lack of such critical updates could pose a major security risk for companies, as evidenced by the widespread Wannacry ransomware attack of 2017. In addition, if applications themselves aren’t updated, the organization could be at risk for various types of cybersecurity attacks.
In cases where the onus is on the employee to perform these updates, it’s important to coach them on the importance of updating both regularly and properly to avoid posing an unnecessary risk to the organization. For example, in all instances where critical security patches are offered as a part of an update, employees should install these updates immediately.
On a related note, when discussing updates, reinforce with employees that update messages claiming to be from application providers asking for personal information, such as usernames or passwords, could be phishing attacks focused on credential theft. If a message ever looks questionable, welcome employees to forward it to the cybersecurity team to review its legitimacy.
It’s About the User, Not the Technology
In conclusion, teaching employees how to properly install and update applications can prevent business software from becoming an unnecessary entryway for attackers. In addition to these regular, proactive coaching sessions, having a user activity-based insider threat management system can allow cybersecurity teams to monitor for suspicious use of applications, preventing unwanted insider threat incidents from occurring.
Stay tuned for the next Coachable Moments post in a few weeks, and let us know what you think on Twitter @ObserveIT!