Companies need to think about educating users about security, the threats and the risks alongside traditional data-leak protection.
CANCUN, MEXICO Companies
invest in security to protect their networks and data. But sometimes, they are
not thinking about the human side of the security equation, Kaspersky Lab
researchers told attendees at the company's security conference.
The Humans are the weakest
link presentation on the second day of the Kaspersky Lab Security Analyst
Summit focused on protecting organizations from costly and devastating breaches
that are often the result of user ignorance. Companies are implementing
data-leak-prevention technologies without really considering how users should
be integrated into the process. User awareness was critical, Valery Boronin,
research director of the Data Loss Prevention (DLP) group at Kaspersky Lab,
When customers evaluate data-leak-prevention
technologies for their enterprises, they are looking for something that is easy
to use, convenient, reliable and cheap, Boronin said. Instead, they wind up
with platforms that are complicated, unreliable, expensive and inconvenient. He
cited a Gartner report that found that organizations have difficulty
understanding all the DLP options they have access to and wind up using a
limited subset of available options.
Instead of data-leak prevention,
organizations actually wind up with data luxury protection, Boronin said.
Even after deploying the
most powerful DLP, encryption and other security technologies and hiring
security experts, if the end-users don't understand the threats or know the
rules, all the money spent is wasted, according to Boronin. Security should be
a process and not just a product, according to Boronin and Vera Trubacheva, a
system analyst in the DLP group at Kaspersky Lab and co-presenter.
End-users often do not know
about information security policies, the threats they are protecting against
and the mitigation technologies being deployed within the enterprise, according
to Boronin. Recent surveys back him up, as users reported not being aware
whether their organizations had any data-security policies, let alone what they
were. Users are often the primary target in cyber-attacks, such as phishing and
malware campaigns, and the attackers are succeeding because the users don't
understand the threats or the risks, according to Boronin.
In a mock trial Kaspersky
Lab vs. DLP 1.0, Boronin and Trubacheva discussed how leaving out user
awareness meant DLP alone was inadequate for protecting data within an
The weakest link in
security is not the technology, but rather, the human, Trubacheva said. She
noted that users tend to select simple passwords, or select complex passwords
that they proceed to write on a note taped to the monitor.
Users need to be taught
security basics, the policies and rules being implemented that they have to
follow, and how they should respond when something goes wrong, Trubacheva said.
The organization needs to be collecting information on what happened before and
after the breach; that way they can make sure users are responding
Recent surveys from the
Ponemon Institute have shown how expensive data breaches are to the
organization. A lost notebook can cost an enterprise more than $50,000,
according to the research group. The costs would have been dramatically reduced
if the users had been taught to work with the appropriate tools and informed of
policies, Trubacheva said.