The Three Human Failures Behind Remote Access Shortcomings

Wednesday, November 26, 2014

Patrick Oliver Graf


Whenever news of a network security breach reaches the public airwaves, observers are quick to assign blame to some combination of technological shortcomings and human error that allowed an attacker to slip through the victim’s cyber defenses.

When it comes to remote access in particular, network security is even more dependent on technology like VPNs, and employees who do their part and follow company protocol. Unfortunately, network administrators often find themselves in a position where, due to human imperfection, remote access technology is the constant that protects their network.

Here are the three types of people who are guilty of common, understandable human errors that network administrators need to have on their radar, and try to protect against, as they build a network security infrastructure:

  1. The Strained IT Pro

Information security professionals are modern-day gladiators, fighting back against complex network security threats, internal and external, as quickly as they form. Yet, as a Ponemon Institute study revealed earlier this year, many IT departments are overburdened as they try to defend against all of these threats at once.

The problem is actually two-fold: a dearth of talent to fill positions (according to the study, 70 percent of the organizations say they do not have sufficient IT security staff) and turnover in security positions that can be filled (CISOs leave their positions, on average, after 2.5 years). The result is that IT departments, despite their best efforts, cannot defend against every attack particularly as cyberattackers diversify and expand their efforts in the coming years.

  1. The Oblivious Employee

For companies that lack a consistent frontline defense by their IT staff, employees are next in line to defend against network security threats. They’re tasked with following remote access policies, the most common of which often include proper VPN use and safe data management practices. Yet, even the very basics of secure remote access are often a problem for employees – 44 percent of respondents to an Imation survey said that company information they remove from their office isn’t encrypted.

Those weren’t the only network security faux pas employees fessed up to. Just under half said they still used a USB stick to transfer information – especially dangerous in light of threats like the “BadUSB” exploit – while about the same number said they used their own mobile devices for remote access, instead of those supplied by the company.

These employees are right to be criticized, although the blame doesn’t always rest solely with them. As Imation’s Nick Banks said, “A lot of companies don’t have a remote working policy [while others] break the policy without knowing it exists.” Every company needs a remote work policy, not just those in which data is generally considered to be most at risk – financial services, healthcare and the public sector.

  1. The Fatigued Stakeholder

The third obstacle impacting IT departments and employees as well as the general public is a creeping feeling of what Ponemon has dubbed “breach fatigue.” While conventional wisdom may dictate, and network administrators may think, that digital consumers have grown even more risk averse in how they manage digital information, the opposite actually appears to be true.

This current state of “breach fatigue” means that consumers have become so overwhelmed by the recent onslaught of data breaches involving their favorite institutions that the news is no longer attention grabbing or behavior altering. Only 14 percent of those polled by Ponemon said they would interact differently with an institution they do business with if it were to report a data breach.

Defense In-Depth Reduces Human Error

This all brings us back to the importance of strong remote access technology and a comprehensive, defense in-depth approach to network security. When IT staff and employees do fall short – and they will from time to time – it’s this multi-layered, redundant approach to network security, which includes technologies like firewalls, VPNs and intrusion detection systems all working together that will keep a company’s digital secrets safe.

This was cross-posted from the VPN HAUS blog.

Budgets Enterprise Security Policy Security Awareness Security Training Breaches CVE DB Vulns US-CERT
Post Rating I Like this!
avelin injector
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked