No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Combating Your Company’s Insider Risk

by Ajit Sancheti
December 11, 2017
in Featured, Risk
business men discussing plan

Regulation Changes are Cause for an Overhaul

New data privacy and cybersecurity regulations, including the NY DFS and the EU GDPR, are causing companies to tighten up on their controls and map their security programs to match the requirements in order to avoid punitive corrective actions and steep fines for violations. To be effective, controls and security solutions must account for the human factor.

It’s a bitter pill to swallow. Given the virulence and ingenuity of headline-grabbing cyber attacks and cybercrime syndicates, it’s hard to internalize the fact that the biggest threat to enterprise data and systems is the everyday employee. This should be alarming to any company that relies on maintaining a trusting relationship with vendors, partners, shareholders and customers while staying out of the crosshairs of regulators.

Every CISO & Risk Management executive fears their company being the next one to capture the headlines because of a breach.  Data breaches are costly — incident response and recovery, crisis communications, legal issues, loss of reputation (for employees and the company), customer attrition and damage to stock price are just the beginning. New data privacy and cybersecurity regulations are causing companies to tighten up on their controls and re-map their current security programs to match the new requirements. To be effective, controls and security solutions must account for the human factor.

Human behavior is the trickiest risk factor to predict, manage and defend against. Even after several years of high-profile breaches, security training and anti-phishing campaigns, end users persist in using weak and compromised passwords, clicking on suspicious links, sharing accounts and using insecure apps and websites. Putting too many restrictions on end users and employees leads to loss of productivity and frustration — which in turn leads to risky workarounds. Not to mention organizations also need to account for employee curiosity which can lead to employees trying to access things that they shouldn’t.

To address the human factor, many companies turn to user and entity behavior analytics (UEBA) solutions. While these solutions can be fantastic and providing greater intelligence on user behavior, they can produce far too many alerts and false positives, further burdening overstressed security teams. We need a smarter approach, and the first step is to better understand the risks that insiders pose to enterprise security.

The results of a recent survey commissioned by Preempt highlight how businesses are exposed by employees with poor security habits and too much access to sensitive resources. Even those employees who identify themselves as responsible users are introducing risk without realizing it.  For instance:

  • More than 90 percent of all employees have weak password update practices.
  • Nearly 80 percent don’t know or aren’t sure if their username and password have been exposed in a breach.

It isn’t surprising that employees have terrible password habits, but the prevalence of this problem is disconcerting. It’s a red flag that should compel security teams to look more closely at the true depth, breadth, and nature of insider risk.

Bending the Rules is All Too Common

Survey results showed that one-third of employees have bent the rules or figured out a security workaround in order to accomplish a work task. While they may not be acting maliciously, these users are essentially internal hackers poking holes in your systems so they can get their work done faster. Proper security controls should not be so easy to circumvent, and such violations should not go unnoticed.

Curiosity is a Risky Motivator

This may be the scariest. One out of four employees admits to trying to snoop by accessing data at work that they were not supposed to see or did not have privileges to access. Out of the 25 percent who admitted to snooping around, more than half were successful at getting their hands on the restricted data. This could be anything from sensitive HR files and salary information to intellectual property and confidential negotiations. It doesn’t take much imagination to see how this kind of data in the wrong hands can lead to costly and damaging exposure.

Bad Habits are the Rule, Not the Exception

As we already mentioned, nearly all employees use weak passwords and fail to check if they have been compromised in a breach. Any credentials, personal or business, that have been exposed in a public breach put the enterprise at risk (and thanks to Equifax, Yahoo!, and other massive breaches, almost all of us have been affected at some point). It is clear that employees don’t understand how this works; of those who were aware of being compromised, 68 percent only changed their password on the site or app where it was breached; only 37 percent changed that password everywhere they had used it. Moreover, 25 percent of respondents confirmed that in their workplace, multiple employees shared the same account (and password). This bad habit makes it impossible to keep the password secure, makes updating difficult, confuses behavioral analyses and muddles investigations in the event of an incident.

Given the fact that 40 percent of those surveyed confessed to using the same passwords for both work and personal accounts, the widespread lack of awareness about credential compromise and the importance of regular password updates represents a huge vulnerability. Compromised passwords are listed in databases that hackers leverage to execute all kinds of malicious exploits. Of course, illicit databases aren’t the only place to find passwords — 45 percent of those surveyed admit to writing their password down. All too often, sensitive account information ends up on a sticky note in plain view.

Mismatch Between Practice and Perception

Humans operate with a lot of biases, one of which is our tendency to think we are better at following the rules than we really are. Less than 10 percent of respondents rated their personal IT security health and awareness as below average (bottom 25 percent), while a full 40 percent ranked themselves in the top quartile. In light of the actual practices measured in the survey, most of those claiming above average cyber hygiene are overconfident, oblivious or uninformed. This is perhaps the most unsettling finding, and the hardest one to address. When employees don’t understand that their behaviors and routines are putting themselves and their company at risk, there is no reason to think they will change. It also does not bode well for efforts to reduce phishing attacks through training. Employees that are not reliably mindful about security risks will fall into socially engineered traps without realizing it.

How Do You Get a Handle on Human Nature?

Human nature is a force to be reckoned with — from greed to revenge and curiosity to carelessness — and awareness training is a paltry response. In a digitally transformed environment where the network perimeter is porous, identity and behavior should drive access decisions. Binary restrictions (blacklisted or whitelisted, allowed or blocked) aren’t adaptive enough to enable efficient operations and address situational risk. Continuous risk assessments based on identity and behavior allow for more accurate detection of anomalies. Automated, real-time responses to those anomalies mitigate risk by enforcing multi-factor authentication, verifying identity through challenges and sending meaningful alerts.

Specific capabilities like analyzing the quality of passwords, adding Multi-Factor Authentication to any application, and identifying accounts with stealthy admin (also known as shadow admin) privileges can proactively reduce insider risk while allowing users to get their jobs done. Behavior-based solutions that build contextual intelligence over time and integrate with other security solutions empower security teams to enforce policy, fine-tune access controls and defend against threats from multiple angles.

Everyone needs to work smarter and more securely, but we all know it’s not a matter of asking nicely. Strengthening your enterprise security from the inside out without slowing down operations or frustrating your end users is imperative. As the scale of cyber assets and attacks continues to grow, doing it with intelligent, context-sensitive, automated tools is the only sustainable approach. These efforts will go a long way toward protecting your most valuable assets, including your data, your reputation and your trust-based relationships.

 


Tags: Risk Assessment
Previous Post

Lightening the Load of Anti-Money Laundering Legislation

Next Post

TRACE (Bonus Episode): Spotlight on Israel

Ajit Sancheti

Ajit Sancheti

Ajit Sancheti is CEO and Co-Founder of Prēempt, pioneer of the industry’s first Behavioral Firewall that helps enterprises preempt malicious breaches and insider threats in real-time. He has over 20 years of experience in IT security and executive leadership. https://www.linkedin.com/in/ajitsancheti/ @ajitsancheti

Related Posts

red flag warnings

Fostering Risk Transparency in the Organization

by Jim DeLoach
November 9, 2022

Serious risks to your company’s financial and reputational health probably aren’t going to walk up and introduce themselves. Protiviti’s Jim...

NAVEX regional whistleblowing hotline benchmark report_f

Navex 2022 Regional Whistleblowing Hotline Benchmark Report

by Corporate Compliance Insights
November 9, 2022

Explore benchmark data and regional comparisons for Europe, APAC, North America and South America. Regional Benchmark Report 2022 Regional Whistleblowing...

Research Compliance Conference

Research Compliance Conference

by Aarti Maharaj
November 7, 2022

Get the latest insights in research compliance. The risks and challenges that come with clinical research are unique, as are...

nurturing reputation

Reputation Is Your Company’s Most Precious Asset. How Can You Nurture and Preserve It?

by Jim DeLoach
September 28, 2022

Reputation is like a ticket to the big game. Show it at the door, or you won’t get in. It...

Next Post
Israeli flag

TRACE (Bonus Episode): Spotlight on Israel

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT