“Fact: Every one of our institutions is infected.”
Thus did Kristin Lovejoy, former CISO at IBM and current CEO at Acuity Systems, enter the Privacy. Security. Risk. stage here in Las Vegas.
In fact, if your security team is telling you you’re not infected, they’re probably just bad at their jobs.
The last statistics generated by IBM say that the average organization of 15,000 employees would suffer 324 security attacks per week. Of those attacks, 2.1 would result in a compromise, Lovejoy said. Of course, very few of those compromises resulted in a major event that required reporting or some kind of public response, but there was at least some impact that required a response on the part of the IT team.
And, when you look at how the bad guys got in, “it was because of someone doing something dumb,” Lovejoy said. “Whether they misconfigured something or clicked on something they shouldn’t or used a weak password, they did something silly that enabled the bad guys to get in.”
What’s worse: For each of those two compromises, there will be another eight issues, like lost laptops or smart phones, that require a response of their own.
So, what to do? “Most organizations,” said Lovejoy, “think, ‘Ah, if they’re getting in through human error, then I need to lock down my users. Force them to authenticate. Long passwords. Lock down their mobile devices.”
Bad idea, she said.
“Their answer will just be Gmail, Yahoo,” said Lovejoy. “People, like water, will find a way around the rules. They will do their jobs. No matter how much tech you throw at the problem, you’ll just be increasing the risk. You’ve created complexity and motivated the end user to do something dumb.”
The best solution, she said, is to remember that not all users are made equally. Most users can’t really do any damage anyway. Take away access to information they don’t need and then let them basically do whatever they want. If they don’t have sensitive data to lose, they can’t lose it.
Those other users, like your executives and hardcore PII users, get the rigorous lock down, but in a way that understands their issues. When you’re only working with a select group, you can customize the solution so they don’t work around it, but work with it.
“They need monitoring tools like DLP,” Lovejoy said. “They just can’t use their own device at work.”
The big takeaway, she said, is that you need to ask yourselves the question: “Does it make sense for all of these controls to be applied to all users?”