Last week, Steven Norton published a blog post to The Wall Street Journal’s CIO Journal about increases in ‘next-gen’ security spending. It was a good post highlighting something that I think most people are aware of - enterprise security threats are very real and more and more enterprises are putting technologies and processes in place to prevent them.
One survey cited in the article, conducted by brokerage firm Piper Jaffray, found security to be the top spending priority for CIOs for the second straight year. It also found that 75% of respondents, all of whom were CIOs, planned to increase security spending in 2015, with 88% saying network security was their top priority.
That last stat really caught my eye: eighty eight percent of the CIO respondents said network security was their top priority. And most of the rest of Norton’s post focused on technologies like next-generation firewalls, cloud monitoring software, security analytics, and intrusion detection and prevention solutions. Those are all the sexy security technologies, the ones that are always talked about when there’s a big hack that affects general consumers. They’re also the technologies that are generally used to prevent external attacks coming from sources outside your organization.
However, they aren’t the only security solutions an enterprise should implement, and they aren’t even the only solutions protecting your network that you should be aware of.
A significant security vulnerability overlooked by many, including Norton in his post, is the internal threat. Yes, I’m talking about your employees, and ex-employees. Many of the biggest attacks don’t come from external hackers, but originate from inside the enterprise, from fully authenticated users who shouldn’t have had certain levels of access. And these “rogue employees” don’t always have malicious intent, sometimes they’re dedicated employees who mistakenly committed an oversight.
One of the first steps of effective network security is protecting your data from potential internal vulnerabilities. Often this takes the form of an authentication process - username/password; however, it should go further than that and focus not simply on having that authentication wall in place, but actively managing the access all employees have - expanding access when needed and removing it when it’s not needed.
Identity and access management isn’t sexy like the more externally-focused technologies I mentioned earlier, but it’s important and needs to be considered. I would’ve liked to see Norton expand on this type of technology in his article (to be fair, one of the customers Norton spoke with did mention recently purchasing access management software), even if it was only a paragraph.
Internal threats merit just as much discussion as external ones, and if we’re being truthful, you’re probably more at risk of internal threats than external ones. Not every company has foreign governments, deep pocketed competitors or hacktivist groups targeting them. Every company does have employees who are prone to making human mistakes.