Security 2.0: the solution for “the human factor” regarding digital information security
Human are the weakest links when it comes to IT-security. After all, you can pull up such nice digital wall as a security or IT-manager, but when people give their personal information (like their name, address, email passwords, credit card information and pin code) to any stranger with a good story, or when people leave confidential information unattended; there is really no program or tooling that can protect you. Or is there?
The example above may be a little exaggerated, but it is really not that far from the real way people in the digital age handle their information. A known example is from Hilary Clinton while she was secretary of state. It seemed she was getting around the secured work email by setting up an email server at her home in Chappaqua, New York. She relied on this server for all her electronic correspondence – both work-related and personal – during her four years in office. Hillary stated that the primary reason she set up her own email was for “convenience”. She preferred to carry only one smartphone with one email address, rather than to have two devices – one for work and one for personal affairs. And she certainly is not the only one. Forty-six per cent of employees admitted they forward emails from work to their private address.
You don’t need to be a top hacker to look into the top-secret files from the previous example. Her case is unfortunately no exception. It is known for a long time that the human is the weakest link when it comes to IT-security. People stick a yellow post-it with their passwords to their computer screen and lose it in a cab on the way home. They get a call from SAP with questions about passwords and wonder after the call who this person actually was. Because they do not even use SAP… They send sensitive information to a wrong email address or take files with them as soon as they get fired or quit their job.
How do you cope with this as a CISO (Chief Information Security Officer)? The proven method that CISOs use the last years is education and establishing strict rules for employees. This can be for example a clean desk policy and send the employees on a course, which will teach them where the dangers and risks are in the digital domain. Feed campaigns within the organisation to make sure that the knowledge sticks. And make sure that also the management stands behind it, because if the boss isn’t doing it, the employees don’t need to do it.
Education of the employees hasn’t paid that much off in recent years. Not a day is going by that there isn’t a data leak or breach somewhere. Every 53 seconds there are new data records lost or stolen. Of all those data breaches twenty-five per cent are caused by human error. People make mistakes. They easily let go of what was taught in mitigating cyber risks and want to work with tools that make their work easy and “convenient”. All these strict security rules are just in the way of them doing their work the way they like. Now CISOs are not only focussing on prevention, but also on “damage control”. They continuously monitor the corporate network and have an overview of who does what. This way, when something goes wrong they at least know what data has been leaked and the leak can be sealed quickly.
Damage control also asks for new type of security tools. It doesn’t make sense to secure your network with a big iron fence, when people can place those files as easy outside the door. Security has to take place at file level. Next to that, it has to be a minimal load for the user to apply those security tools otherwise they won’t use it. Most tools nowadays have a huge impact on the information infrastructure and are a big hassle for employees. This makes it a big need for a security tool like Quiver. We don’t make any changes to your employee behaviour, they can keep using the tools they love and continue doing their work as they do it best. On the other hand we provide the company admin with an Admin Tool that gives them a full overview of every file and user and anything happening with those files. When a breach attempt is detected, the Admin Tool takes the necessary actions. For example when an employee leaves the company or forwards a confidential file to their private email, the admin can take access to that the file back at any time. Even after the file has already been downloaded.