With the recent introduction of the European Cloud Initiative in the EU and squabbles around TikTok and WeChat in the U.S., data security has come under the spotlight of public interest. Due to the emphasis on data storage location and privacy in these events, it is natural to regard protecting infrastructure and implementing security policies as the most important practices in data security. However, many people underestimate the “people factor” in maintaining a data security program.
In this blog post, I will discuss why people can be overlooked as the weak link in data security and how Othot answers the challenge.
Not all data breaches are the handiwork of cybercriminals. They are also likely the result of employee negligence. According to a 2018 industry research,1 more than 40% of data breaches were the result of an employee accidentally sharing, misplacing, or mislabeling sensitive data. It can be as simple as leaving a laptop on in public settings, sending the wrong email attachment to the wrong email address, or labeling the wrong cloud storage bucket as public.2
Employee negligence is compounded by other factors, such as bad security practices and access creep, that cause greater problems. One form of bad security practices is bad password hygiene. That’s where the employee uses easy-to-guess passwords or similar passwords across multiple systems. Thus, when one set of usernames and passwords is obtained by cybercriminals, it takes little time for them to obtain access to a range of sensitive systems and the data stored within.
Access creep refers to a lack of reviewing process and discipline when giving permissions, rights, and privileges to employees. In this case, a single breach can become much more difficult to contain due to the accumulation of unnecessary access.
Employee negligence is bad enough, but when cybercriminals do attack, they also know it is sometimes easier to exploit the weak human link than to attempt a frontal assault on a well-maintained data security program. This can take the form of phishing emails and malware.
Despite the best efforts by security professionals, phishing emails can never fully be stopped from making their way into employees’ inboxes. With a click of the link and a log in attempt, the user can hand over the key to all sensitive data they have access to.
Similarly, malware such as trojan horses or ransomwares, can enter a user’s system using phishing scams or other malicious communications invitations, affecting data confidentiality, integrity, and availability. These attacks are especially prevalent under recent business settings when companies adopted work from home policies and as employees rely more and more on emails and communication software rather than in-person meetings.
While employees can be the unwilling participants of a data breach event, they can also be at risk from insider attacks. Whether for financial benefits or due to grudges against colleagues, insider attacks can be highly devastating and difficult to detect. To defend against these attacks, special attention to operational procedure is required.
At Othot, we recognize the human factors and treat them seriously. For threats related to employee negligence, phishing, and malware, Othot has regular security trainings and workstation spot checks to promote employee awareness and a corporate culture that embraces cloud and remote working. However, training alone does not ensure procedures are being followed. For that, Othot undergoes SOC 2 Type 2 audits.
SOC 2 Type 2 audit scrutinizes how Othot manages data and emphasizes the soundness of operation procedures. For each access change and each transaction involving sensitive data, Othot needs to provide proof and evidence to the auditors. Together, these internal and external measures help Othot make people a strength instead of a weak link in our data privacy program.
If you are a higher education institution looking to review our efforts on information security and data privacy, one great tool is HECVAT (Higher Education Community Vendor Assessment Toolkit). HECVAT is a questionnaire style spreadsheet increasingly popular in the industry.
Othot posts its HECVAT on REN-ISAC’s Community Broker Index. There, you can check out our most up-to-date HECVAT and other security resources such as our SOC 2 Type 2 report.
If you have any questions about these tools or reports, please contact us at firstname.lastname@example.org.
By Johnny Chen | August 17, 2020