Often, security programs are focused on external threats and technical solutions. Firewalls, antivirus, and similar security tools are designed to block the attackers from ever gaining access to an organization’s systems.
In May 2023, MorganFranklin’s Ashwin Satish and Nate Galimore addressed another leading threat to cybersecurity in their Identity: Humans are the Problem. Check out the full webinar on-demand at Brighttalk.
Humans Are the Problem
Human security threats to the organization come in a variety of different forms. Some of the main human security risks that companies face include:
- Social Engineering: Social engineering attacks can take the form of phishing emails, which are designed to get engagement, or tailgating or piggybacking, which is used to gain physical access to a secure area or system.
- Insider Threats: Insider threats involve threats caused by trusted insiders, such as employees, contractors, and vendors. These threats can be unintentional, intentional, collusive, or from a third party.
- Negligent Behavior: Employees can inadvertently place corporate data and security at risk. For example, a hard drive or laptop containing sensitive data could be left somewhere where it can be lost or stolen, or employees can insecurely use applications and devices, sharing passwords and the like.
Developing a Risk Management Strategy
Often, these human security risks are overlooked in favor of focusing on the “easy” security problems that can be solved via technology. Human security risks can be best addressed via a human risk management strategy. To get started with developing such a strategy, consider the following three steps:
- Understand Your Environment: Before you can manage your human risk, you need to understand it. This includes understanding the data you have and your users.
- Define Data Management Goals and Requirements: With an understanding of the data that you have, you can identify your security and compliance requirements. For example, companies may operate in jurisdictions or industries that have laws regarding data protection such as GDPR, HIPAA, or PCI DSS.
- Evaluate Program Maturity: Finally, evaluate existing policies and programs against these goals. For example, it is good to understand existing policies, how often they are updated, and if they meet the organization’s needs.
Implement Human Risk Management
After performing this analysis of existing strategies, it’s possible to start developing a risk management strategy. Ideally, this strategy should be proactive and adaptive, managing risks before they occur and learning from past experiences.
Some best practices for implementing such a strategy include:
- Develop an IAM Program: An IAM program will manage access to data, enabling an organization to track and restrict this access based on its security goals.
- Appoint Security Champions: Security champions operate in each line of business and act as a convenient point of contact for employees that are facing security challenges or have questions.
- Train Employees: Employee training shouldn’t just address potential threats — phishing, lost USBs, etc. — but also discuss how to manage security risks within your specific organization.
- Augment with Security Solutions: Solutions such as MFA, VPNs, SSO, and password managers improve security with minimal impact on employee productivity and system usability.
How MorganFranklin Can Help
To learn more about human security risks and how to manage them, check out the full webinar. There, Nate and Ashwin provide an in-depth discussion of human security risk management, including real-world examples and tips gained from their years of experience in IAM and risk management.
If you’re looking to implement or improve your IAM and human risk management programs, MorganFranklin can help. Our analysts can assist in evaluating existing programs, developing new strategies, and selecting the solutions best suited to meet your organization’s unique security needs.