Seven Deadly Sins of Corporate Cybersecurity

The most of employees have at least once violated corporate information security. In the most of cases there were intended violations aimed on making the company harm. Sometimes gaming a system is necessary just to get a job done. This effect could be seen when CISO or CTO blocks work of the whole departments because of too severe restrictions. CISO, CTO and HR should pay attention to such cases not to “punish the guilty ones”, but to make information security policies more flexible and providing maximum effectiveness of business units work.

In the recent research published by One Identity 92% of survey participants told that employees are trying to get access to the information that they don’t need to complete their daily work. Furthermore, top-managers make unauthorized access efforts much more frequently than average executives. Let’s make an overview of the main reason why do the employees violate corporate information security policy.

Pride
Corporate policies and objectives may not match with employees’ personal ambitions. Especially when IT and Infosec services are perceived as just some service departments, which don’t provide the company’s growth. In such cases, employees often explain their ignorance and efforts of unauthorized access as something made for the company’s success.
On the other hand, there are some cases when sysadmin begins to work on “God’s mode”, making performing employees’ duties almost impossible without breaking rules.

Greed
Today information means money. Sometimes it is a very big money. Average executive may yield to temptation to sell clients’ base. At the same time, insiders at the top level may cause more significant damage.

Envy
Why does the guy sitting at the next desk have access to sensitive information and rights to apps download? Someone will just consider it as prejudice.

Wrath
Offended employee may become a real troublemaker for the company.  It is not unusual when the fired employee takes away some important information with his personal stuff or changes passwords for some web services and “forgets” to hand them to manager.

Lust
Porn sites remain one of the sources of infection for devices. If the adult website suggests installing a video player update, it is likely a trojan. And dating services are still a popular phishing and scam channel.
 
Gluttony
In 21 century gluttony sin transformed from willing to eat as much as possible into desire to consume haute cuisine in luxurious interiors. Food services industry substantially contributes to it and modern gadgets permit to combine work with eating. Free Wi Fi, which have the most of food venues, makes this process easy and comfortable. Everybody knows that users’ data in such networks could be available to the third parties. But they continue connecting to them.

Sloth
It seems to be the main security sin of modern user. Too lazy to create difficult password. Too lazy to create and remember different passwords for services. Too lazy to turn on two-step authentication and shut down inactive sessions. Sorry, we have warned you.

Of course, we gave a quite simplified information. Causes and reasons of access policy may change and combine. Under impact of different factors different scenarios with different criticality levels are generated. The main conclusion we can make is that identity and access management is a dynamic process, which should be continuously managed. Effective identity and access management solves not only the problems of information security, but also general business effectiveness. This means that it should involve not only IT and infosec specialists, but also HR, operations managers and top managers.