Five Cyber Security Resolutions to Keep in 2015

In an October 2014 Dimensional Research study sponsored by Check Point, 75% of the 706 IT and security professionals surveyed stated that personal devices connect to their corporate networks, and 72% say that the number of personal mobile devices that connect to those networks has more than doubled in the past two years. A whopping 95% say that BYOD brings security challenges. Yet only 56% are managing business data on employee-owned devices. And according to the Trustwave 2014 State of Risk Report, 38% of businesses do not have technical controls in place for secure BYOD use, and 33% have no BYOD security policies in place at all.

The red flags with BYOD are many, but mobile security issues aren’t limited to these types of devices. After all, unless you’re checking out phones and tablets in the morning and checking them back in at the end of the day, there’s a limit to the amount of control you have over what’s happening on and to mobile devices that connect to your networks, store your data, and house the contacts of important people inside and outside your organization. If you aren’t being explicit about the applications and connections you believe are appropriate for devices that contain or connect to your data, you can’t expect your employees to make safe choices.

#4: Accept the Reality of the Insider Threat

We’ve mentioned it before, and it’s time to face it: the insider threat is real. Pretending otherwise is inviting disaster, as a number of studies have shown:

• IBM Security Services 2014 Cyber Security Intelligence Index – Over 95% of all incidents investigated recognize ‘human error’ as a contributing factor. Outsiders instigated 56% of all investigated security incidents in 2013 — which means that insiders (whether inadvertent or malicious actors) likely had a hand in 44% of incidents.
• 2014 U.S. State of Cybercrime Security – Of survey respondents who identified security incidents, 28% pointed the finger at insiders, and 32% of respondents said insider crimes are more costly or damaging than incidents perpetrated by outsiders.
• The Global State of Information Security Survey 2015 – Survey respondents most frequently cited insiders as the culprits of cybercrime. With regard to insider security incidents, 35% pointed the finger at current employees; other identified sources included former employees (30%) and current service providers/consultants/contractors (18%).
• Impact of Mobile Devices on Information Security (October 2014) – A staggering 92% of surveyed IT and security professionals said that employee behaviors could have made a difference in preventing recent high-profile breaches of consumer data. More than 60% said employee carelessness was likely to have contributed to or caused the breaches.

#3: Ask Employees to Regularly Review and Acknowledge Security Policies

According to Trustwave’s 2014 State of Risk Report, 24% of organizations never have their employees read and sign an information security policy document. If you are in this group, now is the time to put into clear, no-nonsense writing the security policies you expect your employees to follow. A big part of this is giving your employees no-fear path for reporting suspected incidents — something that 20% of those surveyed by Trustwave do not do. You can’t expect individuals to “know better” if they don’t know what better is.

#2: Recognize That Physical Security Is Also Cyber Security

What does a secure side entrance left ajar have to do with data security? How could a shared ID badge impact the integrity of your network? Take a moment to think about these scenarios and extrapolate the consequences, and you’ll soon see that lapses in physical security can quickly lead to unauthorized access to secure areas, systems, and data.

According to the aforementioned Trustwave survey, only 64% of organizations have a full set of “appropriate physical access controls,” which includes items such as receptionists, card swipes, and visitor logs. Of the remainder, 31% have only a partial set of controls in place while 5% use no physical access controls at all. Being too free with access to your people, places, and things can have serious consequences on multiple fronts. If you have no barriers or only partial barriers to access in place, make 2015 the year you get serious about physical security.

#1: Train Your Employees

Look back up the list of resolutions. Now realize this: A comprehensive, effective cyber security training program can help you implement these key initiatives; encourage positive changes in employee behaviors; and shore up your security posture in the weeks, months, and years ahead.

Again, no need to simply take our word for it; the reports and surveys noted in this post all have sections that highlight and reinforce the importance of employee education and awareness. Plus, it can be terrific for your bottom line. As stated in the 2014 U.S. State of Cybercrime Security report, “Untrained employees drain revenue.” And as we’ve noted before, 76% less is spent on security events when employees are trained.

So as you plan ahead, make training your top cyber security promise for 2015. It will help make your other security resolutions that much easier to keep.

We resolve to help you defend against security breaches in your organization. See why Wombat Security was named a Leader in the Gartner Magic Quadrant for Security Awareness Computer-Based Training Vendors.