There are a lot of articles and papers that talk about security concerns that companies face in their environment. They are usually very similar and contain nearly the same pointers. Topics like inventory and device management, shrink-wrap coding issues, phishing, social engineering are almost always mentioned. People who work in security see these lists so often that they tend to overlook them to favor information that can be put into graphs and displayed clearly for the sake of ease.
What Experts Tell You To Be Worried AboutThere are a lot of risk and security management organizations like ISACA, ISC, CSA, OWASP and EC Council that study and write about the threats to security at a workplace. For example, SysAdmin, Audit, Network and Security Institute, SANS for short, maintains a record of everything from security risks and vulnerabilities to controls that audit them. Some of the factors SANS has put into consideration for their account of threats to security include:
- Lack of inventory management
- Follow-up control over hardware and software configurations
- Proper usage and installation of security software
- Regular monitoring and testing of security
- Control over administrative accounts and privileges provided
The Most Important Problems of them AllThere are two risks that take priority over the regular culprits (such as phishing, social engineering, poor coding practices in third-party applications, access controls and even physical security services). They are insider threats and the threat an employee or manager creates when making executive decisions that may be shorter and simpler but a lot riskier.
Insider ThreatsInsider threats are usually employees who are unhappy with maybe a new policy, an action taken against them, or some form of political involvement. It does not have to involve hacking software to be a threat to the company. An employee is a valuable asset and a big liability at the same time. The insider information that can only be known if you are working at the company can be threat enough. Trade secrets can be shared with the competition for money, revenge, or some other reason as well. An employee can fall victim to social engineering and unknowingly become a threat to their own company as well. This is something that cannot be controlled because the employee is not even aware of the instances occurring. A third case would be an ex-employee who knows a lot of potentially harmful information for the company. They have the power to share sensitive information with whomever they please. Another instance of an insider threat would be hiring an employee who was a threat right from the beginning.
Senior LeadershipSenior leadership can create threats to security unknowingly as well. This often occurs for the sake of expediency or economics. The warnings presented by the security staff are ignored by senior leadership to select a route that is easier and more convenient. A single mistake can be big enough to bring an entire organization down because of this lack of concern. It is not like the upper management team does not understand the importance of security programs. The reality of the situation is that they often ignore the threats and conducting quick business takes precedence over security. Everyone in the company should be held accountable for their assessment of threats to security in the enterprise. Shortcuts will be approved because they are cost-effective and less time-consuming, but each employee should take ownership and responsibility of the threat that could present to the company.
- There are many threats to a company's security that are often mentioned such as phishing, social engineering, poor coding practices in third-party applications, access controls and even physical security services
- The two most important threats that an organization needs to consider are insider threats and senior leadership
- Insider threats can be existing and ex-employees that have access to a company's vital information
- Members of upper management and people in positions of senior leadership often take executive decisions that are more cost-effective but present a threat to security. Even if the security team warns them, they are often ignored because of the convenience of the shortcut