December 2, 2014 By Fran Howarth 3 min read

Security should be a board-level concern. The volume, complexity and sophistication of attacks is rising rapidly, and massive breaches affecting household names are everyday news. Elevating security to a board-level concern is vital for business survivability.

IBM has recently released a report that provides chief executive officers (CEOs) and their C-level counterparts with five security principles that should be given the highest priority. These principles can be boiled down into the following three key areas:

  • Focusing on employees;
  • Putting controls around critical assets;
  • Having processes and technologies in place for responding better and faster.

This article looks to explore the first area, which is made up of two guiding principles.

Increase the Security IQ of Every Employee

According to the Ponemon Institute’s 2014 Cost of Data Breach Study, 60 percent of security incidents are caused by employee errors and internal system glitches. Internal threats can be particularly pernicious since employees often have access to the most sensitive information produced by an organization. Sending data to an unauthorized person — even mistakenly — or introducing errors that can lead to diminished data integrity being can have serious consequences. To reduce the risk of employee error, CEOs should ensure they encourage a culture of security throughout the organization.

A top security priority is to train employees right when they join the organization. However, this is not a one-off exercise. Official training should be conducted at least annually, along with constant reminders, preferably done in a way that is fun and engaging for employees. They need to be aware of the threats facing their organizations, including emerging threats, and the sort of behavior that is expected of them to reduce their role in spreading these threats. They should be thoroughly trained on the security policies that have been set and told why they are needed.

To ensure the message is getting through, employees throughout the organization should be tested to make sure the knowledge imparted through training and awareness sessions has sunk in and that they really do understand the messages. Consequences for noncompliance with security policies, including possible sanctions, should be clearly spelled out.

But even that might not be enough. Some people perform well in structured tests, while others do not. As an extra precaution, organizations should look to catch their employees off guard, using phishing exploits to gauge their response to realistic scenarios. This will help the organization ascertain where the gaps in understanding are so it can take steps to remedy them.

Security Principles: Safeguard BYOD

At one time, organizations’ networks had clear boundaries, guarded by technologies such as firewalls. Today, those boundaries have all but disappeared. Mobile devices have become the device of choice for many employees and are constantly punching holes in traditional defenses. With mobile technologies quickly evolving and incorporating the latest and greatest features, many employees feel that their own devices are superior to those offered by their organizations. This has given rise to the bring-your-own-device (BYOD) phenomenon, with employees demanding to use the device of their choice for work purposes, especially since this removes the need to carry multiple devices for work and leisure purposes. Employees are the new perimeter.

Again, employee education is paramount for encouraging the safe use of personally owned devices, as well as security policies that spell out what is and what is not permissible. However, that alone is insufficient. Organizations must safeguard themselves by using technology to manage those devices and protect the data they contain, the transactions that are made with them and the applications that are permitted to contain corporate data.

Containerization is a strategy that has a central place in any enterprise mobility program. It provides a way to isolate corporate data on personal devices by enabling corporate and personal data to be placed in separate containers on the device. This allows different levels of security to be applied to different containers, ensuring the organization can safeguard its critical information while providing employees with the assurance that their personal data is safe from prying eyes. It also lets organizations retain the flexibility associated with the BYOD era, allowing for the safe use of any device rather than blocking network access until a particular device has been examined and certified.

Employees as the Front Line

The Cost of Data Breach Study estimates that the cost of dealing with a data breach increased by 15 percent in 2014 and will continue to rise. Employees and their devices are the front line of any organization, its human face to the world. To safeguard the organization from internal threats and external factors specifically targeting individual employees, it makes great sense to focus on employees themselves to lessen the chance that they inadvertently cause harm.

This is why security awareness and securing BYOD should be two of the main security principles espoused by boards of organizations. The next two articles in this series will focus on the other key security principles, examining how to best protect an organization’s crown jewels — its assets — and how to best prepare for and respond to security incidents.

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today