Protecting data as well as employees by understanding human behaviour
In today’s technological landscape, developments like migration to the cloud and the Internet-of-things have eliminated traditional boundaries and increased manifold the challenge for cybersecurity professionals working to protect their organisations. At the same time, attacks have grown exponentially in numbers, as well as sophistication.
OpenGov discussed these issues with Forcepoint's Global CTO, Nicolas Fischbach (CTO Cloud at the time of interview) on the sidelines of the Singapore International Cyber Week (SICW) 2017.
Impact of cloud on cybersecurity
Mr. Fischbach said that many enterprises start as on on-premise customers. Many of those companies want to move to the cloud as part of their digital strategy. They want to be more agile, to reduce costs. They do not want to deal with the hardware/ software lifecycle. The other key driver is people who want to be enabled and reduce the amount of friction they get from IT. Usually, one of the first steps into the cloud for enterprises is Office365. Then there are adjacent moves, like moving the HR solution, accounts to the cloud, starting to consume things like One Drive, Dropbox etc. Then there are the bigger moves like CRM, when people move to, for instance Salesforce in the cloud, from on-premise SAP to in-the-cloud SAP.
Enterprises often have very good cybersecurity measures on-premise. “Over the years they have invested a lot of time, a lot of technology, lot of processes to make it right. Then when they move to the cloud, they kind of seem to think that it’s moving at the same time. But that’s often not the case.,” Mr. Fischbach explained.
For example, organisations usually have very strict password policies on-premise. Maybe you have to change your password every 30 or 60 days. But when the organisation moves to applications on the cloud, these security features might not be there by default. You might have to turn them on, which people forget to do. Forgetting that security measures do not move to the cloud with you could result in breach of compliance.
Another example would be, for instance, a salesperson in a company having access to HR information because that has also been entered into Salesforce. In order to avoid breakdown of processes, rules are left very open.
To deal with such issues, Forcepoint offers a Cloud Access Security Broker (CASB) solution. Mr. Fischbach said that it is basically a very advanced application firewalling and workflow management in the cloud. Forcepoint CASB provides visibility into where the data is, secondly what people are doing with the data, as the organisation moves to the cloud.
Forcepoint CASB lets users discover and assess risk from unsanctioned cloud apps, and control how sanctioned cloud apps (e.g., Office 365, Google Suite, Salesforce, Box, Dropbox) are used, so as to prevent the loss of critical data and IP.
Understanding human behaviour and protecting employees
Another big challenge for organisations now is to comply with privacy regulations such as GDPR (General Data Privacy Regulations).
“Many people seem to think GDPR only impacts Europe. It does not. GDPR impacts you anywhere in the world, if you as an entity or enterprise or as a commercial platform deal with European customer information. So, it is pretty important to understand what your compliance policy is, what your regulator policy is, if you have the right tools to enforce the regulations, validate the compliance or actually protect the data. If you fail, the fines could be pretty significant,” Mr. Fischbach explained. He referred to the recent Equifax data breach in the US. That would have been a disaster under GDPR compliance.
In this context, it becomes important to understand human behaviour. Often people seem to think the employee is the bad guy which can happen in a few cases but quite often the employee is just a vehicle. He’s going to be that person who’s lured to click on something and something happens and it’s going to compromise company data. At the same time, he’s also compromising himself.
Mr. Fischbach said, “We are not only selling you products to provide you web, email and data security. We also focus very much on products that provide insider threat protection, basically helping understand human behaviour and intent and helping employees secure enterprise data and at the same time help manage their privacy.”
The idea is to make it easy and frictionless for people to work, but at the same time keep information secure. By understanding the way people work, security systems can detect people doing things they shouldn’t be doing, either because they are malicious or because somebody is exploiting them. Then the organisation can protect its data as well as its employees.
Mr. Fischbach said that organisations must focus on the human point at the intersection of people with systems and critical data. It’s at this point where information is most useful in creating value, but also most vulnerable to a single malicious or unintentional act.
The digital identity of the person consists of not just their name, social security number etc.
The digital identity of the person can also be combined with other information from the physical world. A person walks into an office, park their car in the parking lot, flash their badge, goes to their desk, logs in to their system and starts working.
“Nico on his computer sending an email. But is it actually me? Did I drive into the parking lot, did I use my physical badge to come in, did I log into my computer, you can bridge those assets, sometimes the asset is a physical asset that you own like the badge, sometimes it’s who you are and how you act. It’s about connecting all those dots. How do you feed in all those analytics together to make sense of them,” Mr. Fischbach said. Furthermore, CCTVs could provide inputs on the emotions of a person, whether the person is looking happy or sad, if they have made a disgruntled comment on social media.
Trade-off between privacy and security?
Several of the security measures we discussed seemed to tread a fine line between privacy and security. The question is how do you make sure that the employees do not have to give up too much privacy for the sake of their own security or for company security.
When asked for his views, Mr. Fischbach responded, “Where privacy is well-defined, you only measure what you need to measure for protecting the company. And you need to have the right data governance, and ensure that the information is only looked at in the case of an incident and a very limited set of persons can access it, say head of security response, head of HR.”
That kind of information cannot be used for monitoring productivity or keeping a tab on what colleagues are doing. That is what people are mostly concerned with.
The other angle is encryption. Organisations should ensure that they don’t gather too much and what they gather is properly encrypted, to protect privacy and data. Privacy-by-design can help with that. Finally, it is essential to inform employees and explain to them what is being done and why. Quite often people are comfortable once they understand the objective. People are also realising that advanced monitoring also protects them and their own identity.
“Having such tools enables you as an employer to protect the employees. So, it’s not so much like big brother watching you, it’s more like your brother helping you, preventing you from doing something bad. Sometimes not because you want to do it, but somebody is exploiting you to do it,” Mr. Fischbach said.