Security awareness is an important topic for organizations of all sizes. Many companies are so busy with their daily routines that they easily overlook the many security risks or issues that happen every day. When they do stop to focus on the security of their network, systems or data they tend to look at the big picture and overlook the small details, which are often the ones that can easily be fixed. For example, one of the most common security risks that takes place every day is employees at organizations of all sizes who write down their credentials to remember them. Most have done it, but what is overlooked is that this can potentially lead to a huge security risk.
Now more than ever, organizational leaders need to ensure that their data is secure, especially if they are dealing with customer information. There have been many public security breaches that have happened in just the last year. Large breaches tend to get most of the attention, such as at Target and Neiman Marcus since they affect so many people; but these things can happen to an organization of any size.
Though most company leaders know that security is important, they often put off dealing with it because they believe dealing with it will be more work for them and add to their daily activities. Some companies have annual training to teach their employees and staff how to properly ensure security of the network and information by teaching them best practices and how they should handle secure customer data.
Training only once a year can be ineffective, and staying aware of employee practices and ensuring they are being secure is difficult. The IT department at many companies is normally extremely busy and does not have the time to ensure the security on a daily basis. Or, if a solution is needed, they believe that implementation would be lengthy and very costly for the organization; so no action is taken. What they do not realize is that there are often small steps or quick implementations of solutions that will easily increase the security without any additional effort. These small changes can greatly increase the security of the organization’s network.
Everyday security risks
Let’s take a look at some of the daily security risks that are often overlooked. As already mentioned, employees often write down their credentials to remember them. Recently, in a survey of password and credential trends conducted by Tools4ever, employees from numerous industries showed that a majority of employees have upwards of seven sets of credentials that they need to remember. In additional to that, these passwords need to be changed every month or so. Is it any wonder that they write their credentials down so they can remember them?
In addition, complicating matters, some organizations have even chosen to implement a strong password policy, requiring employees to use a password of certain length and multiple character types in the hopes that this will help keep the network secure. What they might not realize is that this alone may cause more issues than it solves. Employees have trouble remembering many complex passwords; these policies actually make it more likely that they will write down their credentials.
Another common security issue is the lending of access or credentials. Often when an employee needs to be away from work or goes on vacation they lend their credentials to someone else in the organization if they need them to do something. While this seems harmless, for a system or application that has critical data or customer information, a security breach can easily happen. This person, who has not been given access by the company to the application, now has the credentials to access it whenever they want. Worse, if the delegating user does not reset their password upon return, the access can remain.
Then there is the issue of correctly managing access rights. Through the day to-day activity of employees joining or leaving the organization, it is easy to lose track of who has access to what. Accounts are provisioned, credentials are shared, employees are given special access for a project, but access is never revoked. It is exceedingly easy to lose track of who has access to what systems and applications. Organizations need to ensure that applications and systems that have secure data and customer information are not being accessed by just anyone in the company. They also need to keep track of exactly what types of changes are being made by employees in each of these applications.
One of the biggest security issues occurs when an employee leaves an organization. When employees quit or are terminated, they are often inadvertently left active on the organization’s network. More times than not, this task is overlooked since someone has to go into each application and manually disable the user, which can be extremely time-consuming. This is a severe security risk since these ex-employees will still have access to the company’s data and network. There have been many cases where disgruntled employees either reap havoc on their former employer’s network or steal important customer data. This issue commonly takes place when an organization hires either temporary or seasonal employees. With the constant movement of these types of employees it is easy to lose track of whose accounts are active.
While these issues can leave the organization at risk for a security breach, it is also an issue when it comes to audits and compliance. When that time of year comes around, there is a scramble to provide reports to ensure that they are meeting all compliance needs of keeping customer data secure.
There have been many instances of these small security issues occurring on a daily basis.
For example, banks deal with extremely sensitive customer data. A breach in a bank’s network can cause extreme damage, not only to an individual but the institution’s reputation. The problem is that employees of the bank have to log into several different systems and applications to assist customers. To remember all of their credentials and quickly assist customers many of the banks employees were keeping their credentials written down by their computers. While their intentions are good and they want to provide their customers quick customer service, this can lead to a huge security issue.
A more public example of a security issue had to do with a disgruntled ex-employee of McLane Advanced Technologies. After being terminated from his job, he logged into the company’s network and wiped out all of it customer data. Though this employee was caught and convicted, the organization still had to clean up the huge mess, and lost much irreplaceable data and information.
These are just two examples of the security issues that take place daily at many organizations. So what should an organization that does not want to invest a bunch of time and money in security do about these everyday issues?
Easy solutions to everyday security issues
There are several ways in which these common security issues can easily be solved. The first issue that can easily be rectified is ensuring that rights are revoked as soon as an employee is no longer with the organization. When putting a process in place to handle terminated employees, the most common scenario is a link between the Human Resource system and Active Directory. When an employee is terminated, a synchronization process needs to be in place to handle the decommissioning of accounts in all internal and external systems.
Where feasible, using a Web service or API to automate the process will save time and money in the long run. Where not feasible, an email workflow process should be established whereby system owners are notified to terminate the account and positive feedback required to establish the work has been completed. This ensures that anyone who is no longer with the organization does not have access to anything on the company’s network, and is not accidently overlooked.
Another issue that needs to be focused on is ensuring that employees who are with the company have the correct access and don’t have access to any data or information that they should not access. Access rights to data often tend to creep over an employee’s tenure with an organization. Rights are assigned for special projects while one employee is covering for another on leave or when an employee changes departments and responsibilities. The revocation of these special or historical rights occurs infrequently at best.
Again, software solutions are available to analyze the rights of employees and make the information actionable. By using a role-based access control matrix, in conjunction with an identity management solution, companies can ensure that accounts for new employees will be created with proper access rights and that, over time, the access rights remain proper.
Next is dealing with the many password issues. Organizations tend to look over one of the easiest methods for ensuring password security — a single sign-on (SSO) solution. Since employees who have many sets of credentials tend to write them down, why not eliminate this altogether? A single sign-on solution enables end users to log in with a single set of credentials just once after which access is granted automatically to all of their authorized applications.
Another way that many organizations ensure password security is with two-factor authentication. Instead of entering a username and password, users can automatically log in by presenting a smart card to a reader and entering a PIN code. Combining a smart card and a PIN code ensures strong authentication because this two-factor authentication is based on something users have, the smart card, and something they know, the PIN code. This ensures that the person truly is who they say they are.
Finally, another simple way to ensure security is to generate weekly reports. This will allow managers and admins to keep track of their employees, their access and anything else and catch an error. Many organizations do audits once a year and do not ensure throughout the year that they are meeting their audit needs.
For example, managers can generate an overview of the amount of accounts created for whom and for what department, etc. This means the organization will always have insight into the processes involved and whether they are in compliance with regulations. By presenting these reports via a Web portal, it is possible for the manager to electronically sign off that the information contained is accurate. The Web portal can also allow a manager to start a workflow process to correct any irregularities. This also helps when it comes to audit time of the year. Instead of spending days gathering the information for an audit, all of this work is already completed.
Other more advanced security trends
Many trends have also evolved out of the need for greater security. While they are not completely necessary, it is interesting and important to be aware of what is to come in the security world. One of these is the use of biometrics. Biometrics is the use of the human body or traits to verify a person’s identity. Such methods use human voice, retina scanning, facial recognition or fingerprint to authenticate a user. Some more advanced computers are even able to read the user’s signature and match it to their original signature in the system to verify the user.
More developing methods include technologies that use a cell phone for authentication. Several companies have developed shells that attach to a mobile phone to capture the fingerprint or iris to authenticate the user. Other companies have technologies that use a cell phone’s GPS to authenticate the user.
Even more extreme methods have been developed by companies such as Motorola. The company proposes a “password pill” with a microchip and battery activated by stomach acid that would emit a unique ID radio signal. While this method may be farfetched, it shows just how far companies are willing to go to ensure security.
So what are organizations to do? How can you be aware of and on top of any security issues?
Frequently, security breaches occur and they are not the extreme cases you hear about on the evening news where a hacker steals a terabyte of important data from your network. It is more likely to be one of your employees who is unhappily leaving the organization and wants to take his customers’ information with him or possibly an employee who wants to access important data and make changes in a malicious manner. This is why it is critical that you look at even the smallest daily activities to ensure that there is no possible way for a security breach.
Dean Wiech is managing director of Tools4ever, a global provider of identity and access management solutions.