IT professionals are fighting to secure information, appropriate access and confidentiality. But creating a culture of safe IT practices is not going to be enough. Addressing user security must take the same importance as your endpoint protection, firewalls, and email gateway.
Start with the basics
Organizations must first address the human aspects of security by providing effective ongoing training and ensuring you have robust security procedures in place. Make sure you create and share a security policy with everyone in your company and include any penalties for poor security that will be enforced.
Our research for healthcare compliance however showed that 39% of healthcare workers did not receive security training upon joining and 55% of healthcare organizations did not even have a documented IT security policy to speak of. These naïve and irresponsible approaches to securing sensitive data speak volumes about how easy it is for hackers to access an organization’s network.
It’s thought that 70% of the data losses are caused by human error so these negligent users are your unwitting participants in phishing and social engineering scams. They take the bait and help to infect endpoints with malware that may be the attack (as in the case of ransomware) or simply provide a foothold for further actions by criminal online organizations.
But creating a culture of safe IT practices amongst everyone in your organization is not enough.
Users are human.
Users are human, they are flawed, and they are careless and often exploited. They will always act outside the boundaries of policy and sometimes common sense.
Whilst most individuals given the appropriate information, will pursue a course of action that supports the organization’s security initiatives, most is not all. This trust needs to be verified. An organization cannot continue to blame the user and demand even more training. What’s more, it isn’t always an incompetent or ill-prepared member of staff who opens up a company’s data to hackers.
The Malicious Insider or External Attack
Malicious users are your insiders that have shifted their loyalty from the organization where they work to themselves, and are engaged in some kind of inappropriate activity (such as hacking, data theft, etc.) that benefits themselves over the organization.
The external attack is likely more a member of an organization than a loner. These individuals leverage hacking, social, malware, and many other toolsets to create a way into your network. Once inside, they work to take on one or more sets of elevated credentials to provide them with greater access and an ability to move about the network in an attempt to identify valuable data.
Spotting any of these is difficult.
When you boil it down, the only way to really tell if someone has been exploited, is a malicious insider or an intent external threat actor is by allowing them to perform actions (such as launching applications, authenticating to systems, accessing data, etc.) and determine whether the actions are inappropriate.
But given the majority of your user population doesn’t act the same way each day – let alone the next week or month – it makes more sense to spot the threat actor by looking at leading indicators of threat activity, rather than waiting for the threat activity itself.
One of the most accurate leading indicators is one no malicious insider or external threat actor can get around – the logon.
Stopping threats at the logon
The simplest and most common activity to every threat action is the logon. Nearly all threat actions require a logon using internal credentials. Endpoint access, lateral movement between endpoints, external access via VPN, remote desktop access, and more all share the common requirement of a logon.
In essence, logon management makes the logon itself a scrutinized and protected event. The ability to successfully logon (and remain logged on) becomes more than just whether the right credentials are used.
A logon management solution will detect an abnormal access attempt based on the customized and granular logon policies that are set for that particular account (employee). It will act accordingly – either denying or approving the logon – and alert IT (or the appropriate user themselves) if stipulated.
No logon, no threat
Some of the potential scenarios that are now thwarted include:
- Genuine but compromised logins from exploited users are now useless to malicious insiders or would-be attackers.
- Careless user behavior such as password sharing, shared workstations left unlocked or logging into multiple computers simultaneously is now eradicated.
- Access to any data/resource is now always identifiable and attributed to one individual user. This accountability discourages an insider from acting maliciously and makes all users more careful with their actions.
- Suspicious activity is alerted on offering IT the chance to instantly react.
- Users are notified with tailor-made message and alerts – including alerts on their own trusted access. Informed employees are another line of defense.
No technology can completely eliminate the chance of an attack, but there is a way to drastically reduce the potential risks. Logon management offers greater control for admins and completely restrict various careless user behaviors, as well as encouraging good behavior through alerts and notifications.