This is a continuation from my previous blog, so if you haven’t read it yet, go here first. It’ll only take a few minutes. I’ll wait…
Now that you are up to speed, you know that tackling user risk starts with understanding the security-related behaviors of each authorized individual in your organization. For regular people, we call these clicks. But there are good clicks and bad clicks. Again, I am going to exclude users with actual criminal intent, and focus on the unintentional, uninformed and careless users who simply make bad choices or have a poor relationship with rules, but are mostly just trying to get their work done.
Good clicks are what employees and partners do all day long to get their work done. They click to go to websites, open emails, and access internal apps and assets. These are all essential to productivity and must be allowed. But it is easier than you might think for some bad clicks to start creeping in.
The most benign form of bad clicks are when users are still trying to get their work done, but think they could be more productive if they just work around the systems in place – just a little bit. Maybe it will be easier to access that document if I move it over into my Dropbox account, or forward it to my personal email. Good intentions can often go awry when users try to make their jobs easier, inadvertently allowing sensitive information into less secure and uncontrolled systems.
Then there are those whose work life and personal life mix just a little too much. When I’m “at work”, my mindset may be more aligned with the company’s standards of behavior – not so much when at home. This happens constantly these days, even more since everyone was sent to work at home and the boundaries between work time and personal time have become very blurry. Whether checking emails on a personal computer (or phone) or engaging in some extracurricular activities on the ol’ work laptop, it’s more common than we’d like to admit for employees to browse to questionable sites and get tripped up over more bad clicks.
Next level of bad clicks are when our users help the bad guys out by clicking on phishing links, or accepting a download they shouldn’t. These mistakes are also exacerbated in the new blended world of work-at-home. Now it’s not just a chance of sensitive information possibly being exposed – it is literally someone trying to gain access for no good purpose. One slip-up here could cost your company millions, and perhaps damage a good reputation.
You cannot understand the risk profile of your company without understanding the nature of the clicks your users are making. These actions are perhaps the biggest variable, and super critical to determining risk scores, either for the individuals or for the company in aggregate. But there are a couple other factors that are critical to consider.
We have to consider the level of access a user has. A frontline worker with limited access to anything super valuable, will find it relatively difficult to do damage, even if they were trying to hurt the company. On the other hand, someone in finance or engineering often has privileged access to assets that could do some serious harm in the wrong hands.
This ‘blast radius’ measurement is critical to consider when determining the risk introduced by any individual. Someone with high level access is going to rate a very high score for some bad clicks that might be considered pretty harmless for someone with lower level access.
This is also critical to consider in a continuous manner. People occasionally change roles and their access factor might change. This change must be recognized when it happens so the risk scoring algorithm can take that into account and make the score adjustment without much delay.
The final Factor is a measurement of how often, and in what ways, an individual is attacked. Surprisingly, almost half of users might go a year without seeing a phishing attack. Not surprisingly, there are a few people who seem to get hit constantly.
This factor must be taken into account, even for the most security conscious users who never go to bad websites and report every phishing attack that comes along. With a high enough level of incoming attacks, even the best of us is likely to miss one and fall into the trap.
Now You Can Measure Your Risk
As the saying goes, “You can only manage what you can measure.” These three factors are the critical inputs to determine just how much risk each user contributes to your organization, and being able to quantify allows you to apply resources where they will have the biggest impact. Imagine applying safeguards to the top 10 riskiest people in your org every week. In a few months, the aggregate risk for your company will be down significantly.
Elevate Security has developed a proprietary platform to collect and analyze all of the input representing the above factors. With this information, security organizations can make much smarter decisions about where to apply resources, targeting the highest risk individuals, without killing productivity. Stay tuned for the next installment where we’ll focus on which users you really need to worry about.
Cyentia’s new report, The Size and Shape of Workforce Risk, in partnership with Elevate Security, will help you to start making sense of the user risk landscape in your organization and begin measuring your true risk profile. Download the Full Report