Last year, the 2022 Verizon DBIR reported that 82% of breaches are due to “the human element.” In their RSAC 2023 session, “Employees Are the New Perimeter- How the Pandemic Shaped Workforce Risk,” the presenters, Benjamin Edwards, PhD, Partner and Senior Data Scientist, Cyentia Institute and Masha Sedova, Co-founder & President, Elevate Security, pointed out that workforce risk is indeed one of the largest unsolved problems in cybersecurity. Yet risk is not evenly distributed across employees.
According to their research, “high risk users” represent only approximately 10% of employees and are found in every department and function of the organization. Instead of implementing sweeping security policies for all users, the speakers urged organizations to apply adaptive security policies.
The pandemic pivot to work-from-home
During the presentation, Edwards and Sedova also discussed how large events, such as the COVID pandemic, can further impact individual risk levels. At Broadcom, we observed significant risk level changes for all organizations and their users during the pandemic. When the pivot to work-from-home happened in 2020, a lot of enterprises and other non-North American countries, such as India, didn't necessarily have a remote work culture or a one-to-one laptop-to-employee ratio. As a result, there was a lot of employee BYOD usage for the first year or two for many organizations, which introduced new employee risks.
With the pivot to remote work, CISOs immediately needed to embrace this new user perimeter, and reconsider how to connect and secure their remote users. At Broadcom, for example, we saw customers migrate from on-prem to cloud versions of our solutions such as DLP so they would not lose visibility or security. We can link a customer's network DLP on-prem to our cloud version and enforce their DLP rules in our cloud exactly the way they're enforced for a transaction on-prem.
Zero Trust can help provide the necessary guardrails to reduce the risk of human error. Trust and verify — we trust our users to access an organization’s data, but it’s also important that we verify that the way they're using it is correct. CASB and DLP can play a key role here. In most cases, the user is not nefarious. Sometimes it's just someone who thinks they're doing the right thing but makes a mistake — for example, they give an account number to a third party as a result of a phishing attack.
Take steps to reduce risk
As Edwards and Sedova pointed out in their presentation, risk is not evenly distributed throughout an organization. Start to measure your workforce risk to determine a baseline. Then, use that baseline to measure your security program’s success. Develop a plan to identify high risk employees and adapt security policies to better protect these users and adjust policies to better fit medium- to low-risk individuals.
For example, according to the presenters, if you have a high-risk employee, think about adapting security for those users — i.e., ensure they only use a VPN. If someone is a medium risk, extend their MFA timeout and shorten the security training for these individuals. Instead of approaching security with a large sweeping policy, we need to see that risk is distributed and must apply adaptive policies to fit the risk level. Implementing Zero Trust can give you the tools you need to make those adjustments to your control points, including email and web.
Also, be sure to fully leverage the tools in your security arsenal and take advantage of new technologies such as web isolation and Zero Trust Network Access. We see a lot of shelfware. Yes, you bought it — but have you implemented it? A lot of organizations invest in tools but don’t have the right resources to deploy them. Before you make the next technology investment, leverage what you have and, if you don’t have the staff, engage with your technology partners, such as Broadcom, to help you.
We encourage you to share your thoughts on your favorite social platform.