Whichever way one looks at network and data security, one of the most critical security vulnerabilities facing small and medium sized businesses is human behavior.
Human beings and their actions within an organization are often overlooked when administrators are handling the security of their network and their most important asset, data.
IT administrators in SMEs are often overworked and required to do tasks that an administrator in a large business would never dream of doing. Although they make every effort to secure the network and the organization’s lifeblood, very often their efforts do not always adequately cover the weakest link: those who use the system and have access to the data.
And this is a major problem because many security breaches occur not because the system was hacked by external sources but simply because an employee did something that compromised the IT administrator’s efforts to protect the network.
This is why it is so important that administrators pay close attention to those who are allowed to access the network and what they are allowed to do with it. Unfortunately, where human behavior is concerned, basic security steps are often neglected or not given enough attention. Here are a few:
1. Failure to implement the principle of least privilege
Giving administrator rights on employee machines or full, unaccountable access to all data at share and file-level is a serious security risk. While the concept of least privilege is the best course of action, it is not always possible as limitations in the system will then be your worst enemy (and administrators already have enough on their place). For example, Windows XP with least privilege implemented is a nightmare to administer and use.
2. Controlling the use of portable devices on the network
Endpoint security is often overlooked by administrators who fail to realize that the USB sticks or iPods employees bring to work every day are a perfect tool to copy data to or from the network. In a worst case scenario, a ‘trusted’ but ‘disgruntled’ employee can bypass encryption, copy huge amounts of data or upload malicious software, effectively bringing the network down or deleting important data.
3. Trusting employees too much
It is not uncommon that there is a high level of trust between management and employees in SMEs. Access to key data or systems should be given only to those who need it, even if that person happens to be your cousin or the boss’s son.
4. Failing to monitor network activity and audit who is doing what
For a single administrator, monitoring event logs and carrying out regular audits is a massive undertaking, time-consuming and often manually impossible. However, even if this is not done throughout the network but within the confines of the storage environment, it is not only information security best practice but logs have proven to be a source of great value if a security breach occurs and an investigation ensues. Logs analysis transcends all of this as it is not only a post event type of tool but it also allows you to better understand the way your resources are being used and allows for improved management of it – coupled with security hardening.
5. Single point of failure
It is security best practice to limit the number of people who have full access to the storage environment but this does not mean that the administrator is the only person in the organization who should know the passwords, encryption keys, network diagrams and hundreds of other things about the network. If that administrator leaves the company suddenly or passes away, what happens then?
6. Who unplugged the server?
This may sound obvious but many SMEs do not have a secure storage area for their file and database servers. Keeping servers in a box room or under the staircase not only puts the servers at risk of failure but they are also accessible by staff. Accidents do happen and the last thing you need is the cleaning lady pulling the power cable out of your server while sweeping the floor!
This post is part of the series: Protecting your most important assets
Information and data are the lifeblood of any organization. Threat vectors abound and unfortunately human behavior is often very low on the list