Today's security environment is daunting. If it's not advanced persistent threat (APT) actors compromising data systems, it's good old human fallibility. Protecting IT assets can make a security professional feel like a modern-day Sisyphus, staring helplessly as the boulder breaks free and rolls back to the bottom of the hill.
In a recent article, the UK Information Commissioner's Office (ICO) proclaimed that the majority of data breach incidents can be attributed to staff carelessness.
Of course, this statistic applies only to disclosed incidents. Last time I checked, attackers don't have to disclose their actions, and sophisticated, personalized attacks can go unnoticed for months or years. Worse, when quantifying the nature of security problems, we typically focus on the volume of data, not the value of the data. When an attacker has access for such long periods of time, they don't need to take volumes of information. They can filter the valuable data on site, so to speak, and exfiltrate only the crown jewels.
But back to the problem of staff carelessness: why are we surprised that humans make mistakes? (After all, we are only human.) While I have seen more focus on employee training on cyber awareness and security in recent years, we shouldn't expect this to eliminate human error.
We do have the ability to manage the majority of these challenges. But the frustrating reality is that we are often so focused on stopping the nefarious attacker that we forget security basics. Most customer support professionals know the tongue-in-cheek acronym PEBKAC — "Problem Exists Between Keyboard and Chair."
A more fundamental problem is that we all too often start our security planning in the wrong place. Businesses can typically identify the most important information assets, and we can then tag this data to understand how and where it is used. In such cases, organizations should use Data Loss Prevention (DLP) software to remind and warn users of the errors that may make. And encryption can help mitigate lost and stolen hardware.
The problem for most security professionals is that they see security threats in their entirety — it's no wonder the problem seems insurmountable. The situation reminds me of the expression "How do you eat an elephant? One bite at a time."
All of this comes back to the broader issue what is acceptable and what isn't. By determining where risks are and determining which risks are acceptable, we can better focus our people, processes, and resources where they will add the greatest value to the business.