At the end of April we published a couple pieces of content focused on rogue employees, a security threat facing nearly every company in the world. Rogue employees are those fully vetted users inside your company who probably have no malicious intent to cause harm, but end up doing so regardless, for a variety of reasons ranging from laziness to oversights to hoarding access.
I stumbled upon an article from earlier this year that reminded me of one specific type of rogue employee - The Lazy. The article, titled Don’t Be The Weakest Link in Your Company’s Cyber Security Plan, was written by Richard La Bella for The Huffington Post.
La Bella starts his article by talking about home security:
“The other night, after falling asleep and waking up the next morning, I realized I didn't lock the front door to my home. I have locks on the doors, the windows, an alarm system, hurricane shatterproof windows, and two small dogs with a high-pitch bark that could wake the dead; but all that protection won't do me any good if I forget to lock the front door.”
He goes on to draw a great analogy between home security and cyber security:
“Even though I have all those layers of security to protect my home, if I don't lock the front door then it's all meaningless and I increase my risk to my family -- what I'm trying to protect. The same holds true for us in business every day, only the front door isn't always physical. It is digital too. Our computers, smartphones and tablets lead directly to our company's front door, providing access to anyone who can get in.”
So if we continue with this home security analogy, what is the cyber security version of the front door?
I think you would have to say access. After all, the front door is how a burglar would access your home to get closer to your valuable possessions in order to steal them. For us in the cyber security world, the identity and access management (IAM) technology used to get into a system is the front door you first must get through in order to obtain anything really valuable. While more attention is placed upon technologies like firewall, network monitoring and anti-malware, IAM technology is really the lock on your front door. Something that we feel should be viewed as much a necessity as that deadbolt on the front door.
This is where our Lazy rogue employee comes into play. As our earlier rogue employee content explained, the Lazy brings a high degree of sloppiness and low degree of attention to his compliance with IT policies. Sounds a lot like someone who could ‘forget’ to lock the front door, doesn’t it?
While an effective reminder for locking your front door every night might be to do something like putting a note on your bedside nightstand, IAM technology serves as a built-in reminder for that Lazy employee.
But what can you do beyond implementing IAM technology?
It’s important to remember that you can’t rely on a Lazy rogue employee to follow policy on their own. That’s precisely what deems them as being Lazy. IAM policies should govern the employee to minimize, if not eliminate, the risk associated with their Lazy tendencies.
For example, ensure that privileged access is only granted to the right person, to the right stuff, for only the necessary time period. When someone needs escalated privileges, they must request it. If approved, they are automatically provisioned. With time-based access expiration, those privileges are automatically revoked and de-provisioned once the employee has had sufficient time to complete their tasks.
If you have governance such as that in place, then if the user “leaves the front door unlocked” some night, the house is empty. There is nothing to steal. There are no privileges for a hacker to take advantage of.
I should also note that it isn’t just employees and users you’re managing who can become a Lazy. There are Lazy IT admins out there as well, which is even more of a risk than a Lazy employee. And as an IT admin, that’s something that’s totally within your power to change.
To learn more about The Lazy and all the rogue employees, read our eBook, The Three Type of Rogue Employees - And How To Stop Them.