Sometimes the greatest vulnerabilities and risks an organization faces are created by users' non-compliance with security policies designed to protect the organization. These aren’t necessarily malicious events, but nevertheless they can result in data breaches, malware attacks, and other serious problems for enterprises that increase their exposure and risk and have a negative impact on security posture.
Policy Violations Cause Real Harm
One of the most egregious examples of a policy violation that resulted in a breach occurred against the U.S. Department of Defense (DoD). With a clear policy in place requiring that no unauthorized devices be connected to the internal network, a DoD employee found a USB flash drive in the office parking lot and subsequently inserted it into a laptop on the network. The malware on the flash drive spread undetected throughout the DoD network, ultimately exposing classified and unclassified information and resulting in the formation of the U.S. Cyber Command.
Shift Towards a Remote Workforce
For cyber security leaders and teams, the problem of lack of compliance with policies has become even more of a challenge with the widespread work-from-home initiatives underway at so many organizations because of the coronavirus pandemic.
Even in typical times, when most employees are working from company offices using company-owned devices or their own, less secure devices, violations of policies have been fairly common and going on for some time. This happens when users take short cuts on security in order to simplify the steps needed to complete a task or project.
Examples of this might include unintentional deployments of rogue secure sockets layer (SSL) certificates, where an employee might not even be aware of the action; the use of unauthorized proxy servers and services; deployment of DNS hijacking/tunneling software; and switching off antivirus software.
The problem of policy non-compliance has been exacerbated as many workers, including IT staffers, have been forced to work from home during the pandemic.
Global Workplace Analytics (GWA), an authority on work-at-home strategies, estimates that 56% of the U.S. workforce holds a job that is compatible with remote work and predicts that the longer people are required to work at home the greater adoption of the strategy will be.
GWA predicts that at least 25% of the U.S. workforce will be working at home multiple days a week by the end of 2021, because of increased demand for work-from-home from employees, reduced fear about work-from-home among managers and executives, increased awareness of cost-saving opportunities, and other reasons.
A lot of organizations were not prepared – from an infrastructure and policy perspective – to provide full services and connectivity for all the home-based users via virtual private networks (VPNs).
The rapid shift in work processes necessitated adjustments, but in many cases, there was simply not enough time to do this or not enough budget to pay for the needed changes.
These factors by themselves either forced a relaxation of the established cyber security policies or led to more frustration on the part of remote workers because the policies in place made completing tasks more ponderous. This has made some users more prone to accepting policy exception workarounds.
Detecting Critical Non-Compliance
A few examples recently detected by Stamus Networks during customer evaluations show how policies can be violated by users. In one case, the company did not allow the use of a specific cloud service, but one of its managers installed and used the services. It turns out the advocates/enforcers were circumventing their own security policy measures.
In another example, a group from the IT DevOps department was using an unauthorized proxy to bypass the company proxy gateway, so it could get unrestricted application and installation downloads. By doing this they bypassed the necessary "service ticket requests" for installing and authorizing software installations.
Both of these policy violations actually allowed users to circumvent security controls, which increases the exposure and risk of an organization’s being hit with an attack.
In a number of cases, if a security team detects a compliance violation, it can take preventive measures against both unknown and known threats. But in other cases, it might be too late to do anything.
Proactively Mitigating Risk
To address the problem of compliance violations, organizations need to deploy technology that provides advanced network detection and response, to expose threats to critical assets and enable rapid response in order to mitigate risk.
This includes capturing event data from intrusion detection systems (IDS), performing real-time network traffic analysis, and delivering organizational context into an analytics engine to create a comprehensive network-based threat-hunting solution.
The only way to determine whether policies are being complied with is to have comprehensive visibility and insight into the organization’s security posture, and this can be provided with the right tools. If security analysts can quickly detect, investigate, and respond to threats, the damage from policy compliance violations can be minimized if not eliminated.
Cyber security has taken on an even more vital role with the latest shifts in business. Consulting firm McKinsey & Co. in a July 2020 report notes that as companies extend commitments to remote workforces, cyber security teams need to address new risks while helping create business value.
The digital response to the pandemic has created new security vulnerabilities, the firm says. “Attackers seek to exploit the gaps opened when telecommuting employees use insecure devices and networks,” it says.
CISOs and other information security leaders and teams will need to approach the “next horizon of business” with a dual mindset, McKinsey notes. They first need to address the new risks arising from the shift to a remote digital working environment, and they also need to anticipate how their workforce, customers, supply chain, channel partners, and sector peers will work together so they can provide effective security.
“The pandemic response has underscored the vital role that security plays in enabling remote operations, both during and after a crisis,” the report says. “As companies reimagine their processes and redesign architecture amid the [pandemic] response, cyber security teams are being perceived anew. They must no longer be seen as a barrier to growth but rather become recognized as strategic partners in technology and business decision making.”