Man and Machine: The Ultimate Infosec Team?

Man and Machine

Are your employees a data security risk?

What's the biggest threat to organizational data and networks? Employees. That's the consensus of a HANDD Business Solutions survey, according to Information Age. Compliance and regulation challenges were also a top concern for beleaguered businesses.

This leaves HR leaders with a tough question: If trusted staff are the source of network compromise, what's the best way to reduce total risk? Computer Weekly suggests that it's a combination of "man and machine" that offers the best competitive advantage for infosec.

Active Automation

Automation is already changing the face of IT security, most notably in the area of data collection and analysis. As CSO Online points out, security automation tools can now eliminate 95 percent of "false positive" security alerts, allowing IT pros to focus on both threat mitigation and active threat "hunting" — an offensive approach to defensive measures.

The caveat? Automation isn't a mature market, with experts suggesting that it will take at least a decade before security automation is fully optimized. There's precedent here: Cloud computing took at least this long to mature, and the internet of things is on a similar track.

For HR pros, improved automation means reduced stress on IT staff and better identification of threats. The challenge is that automation alone doesn't fully address the issue of employees themselves.

Risky Business

In most cases, employees don't mean any harm. But intention and action aren't intrinsically linked. And while it's easy to point fingers at inattentive or uncaring employees, the truth is more complex: Advanced phishers can create email addresses that appear to originate from inside the organization, may pose as high-ranking C-suite members and may even direct users to legitimate-looking webpages that seem to be verified by current security measures. In other words, employees aren't trying to put networks at risk — they're responding to what they believe are legitimate emails from their direct supervisors or trusted corporate partners.

As Infosecurity Magazine notes, many organizations now turn to phishing-simulation tools to help staff recognize the telltale signs of potential email attacks. The challenge is to implement effective policy to curb successful phishing lures after businesses discover just how many dangerous clicks and downloads are taking place. Ideally, organizations need multistage intervention processes that include regular phishing reminders for all staff, extra training for repeat clickers and managerial intervention if previous efforts to mitigate risk aren't successful.

Bridging the Gap

So what does a "man and machine," staff-based online security model look like? It starts, again, with automation — specifically, data collection. Just as automated tools excel at identifying false positives, these tools can also help identify at-risk employee behaviors based on current and predicted attack vectors. Leveraged by trained infosec personnel, this data could be used to create event-driven employee-training plans that speak to high-priority real-world threats rather than the vague and sometimes unreliable notion that employees put corporate data at risk. Ideally, the process also works in reverse: Staff usage of mobile devices and corporate networks can help inform the aim of automated systems by identifying areas of increasing or evolving risk.

HR leaders are coping with the harsh reality that employees boost business risk. By combining automated tools and effective staff training, however, it's possible to create a "man and machine" hybrid more resilient to emerging attacks.

Stay up-to-date on the latest workforce trends and insights for HR leaders: subscribe to our monthly e-newsletter.