Why security is everyone’s responsibility
The recent security breaches of the last couple of years remind us about the unpredictable variable – the human factor.
If there is one thing we can take away from all the recent security breaches – from Target at the end of 2013 to the recent breach at Anthem – it’s that security is a very complex issue with a ton of variables to consider. These views rang loud and clear at last month’s World Economic Forum Annual Meeting 2015 in Davos, Switzerland where I participated in a workshop on “Global Crime and Anti-corruption.”
The graphic above shows the variables that must be considered when it comes to security. It illustrates clearly that security isn’t a simple task that you can “set and forget.” You can read more in my LinkedIn post: “When People are APIs and Things have Identities.”
In that post, I note why it’s critical to keep pace with the bad guys using today’s open, innovative, flexible and responsive security technologies. Then I read reports on the suspected source of the Anthem breach, and recalled Target, RSA and many other breaches, and remembered we cannot forget the human factor in any security initiative. All those breaches started with a person, and whether they were mistakes in security best practices or actions taken with malicious intent, there is a human factor that we have to account for even as we advance technology to protect against breaches and mitigate the damage if they happen.
The CERT Division of the Software Engineering Institute at Carnegie Mellon University has done significant research on the issue of insider threat, examining not only how to identify an insider with malicious intent, but also how susceptible an insider is to social engineering schemes. The insider threat is real, and while we can take on a lot of the security burden with technology to minimize the insider threat by controlling access, monitoring activity and mitigating damage, we still need to consider the human side of the threat and take steps to improve how we manage it.
There is a clear message when you consider both the human side and the technological side as elements of a complete security package: security is everyone’s job – whether you sit on the board, are an IT administrator with widespread system access or an employee on the night crew sweeping the floors.
Feel free to leave me a comment below about what your company has learned from the recent security breaches or how you manage internal threats. And follow me on LinkedIn for more insights on innovation, technology and security in general.