Ovum Insights - Building a security-minded culture reduces risk
Navisite recently sponsored research conducted by Ovum, presented in a white paper - Tackling Increasingly Complex Security Challenges - which considered the extent of cybersecurity threats faced by businesses and their strategies for dealing with these threats. One of the many findings was how non-technical factors still play a significant role in security – and businesses continue to overlook them.
Building a security minded culture
The modern IT environment is incredibly complex, blending local resources with cloud-based services in a hybrid operating model. Factor in an explosion in the number of devices connecting to the network (IoT, mobile, remote access, etc.) and it is obvious that there is almost limitless potential for hackers to find a usable surface from which to launch an attack.
Security technologies are rapidly evolving to help cover every endpoint, but your users remain the weak point in every strategy. Poor password management, a lax attitude towards mobile device security, or blatant malicious activity – all have the potential to create havoc inside the network perimeter.
Obviously this is a problem for organizations who devote most of their spend and resources to perimeter defenses. When the enemy is within, only education and policies can combat user activities. You will need to divert at least some of your resources towards establishing a culture that respects and upholds security principles, empowering users to protect corporate data.
A potential culture clash?
The trouble is that many organizations are currently engaged in digital transformation programs, using data and technology to drive business decision making and change. Data analytics is supposed to help improve the accuracy of these decisions, but a move towards faster operations also requires risk-taking – often the very antithesis of security.
In terms of culture, senior leadership will need to ensure risk-taking is measured and well-reasoned – and that security concerns are addressed before taking action. The move from DevOps to DevSecOps frameworks will ensure security is embedded in IT operations – but the same old issues will persist if similar processes are not implemented across the rest of the business.
Technology is catching up
Cultural change takes time to become a natural part of corporate DNA. But you need to raise security standards now.
This is where user and entity behavior analytics (UEBA) can help bridge the gap. UEBA silently monitors network activity to establish a baseline of normality. The system watches literally everything passing through the network to identify activity that falls outside the norms.
Depending on how UEBA is configured, the tools can automatically block suspicious activity, or forward alerts to an engineer for further analysis. UEBA won’t correct the bad behaviors of your employees, but it will certainly help to mitigate some of their mistakes as you try to cultivate that much-needed culture of security awareness.
Currently just 52% of businesses surveyed by Ovum are investing in UEBA, suggesting they are either underestimating the potential risks posed by their user base, or don’t realize the value of the technology. Those organizations who have experienced a recent breach are slightly further ahead of the norm; 58% are actively investing in UEBA.
Ultimately, UEBA is a complementary technology, valuable and important, but best used as part of a wider security strategy. It is also no replacement for a culture of security awareness – you will still have to put in the hard work to create the change you want to see.