by Jeanne Zepp
The Gartner Glossary defines information technology (IT) governance as “the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.” Today, organizations face many challenges in aligning IT resources and mission accomplishment. No challenge is greater than keeping the enterprise network secure from outside and internal threats.
Network breaches can prevent an enterprise from conducting business for days, months or longer, and they can create a series of expensive problems, especially regarding disclosure of proprietary data and personal identifiable information. Recovering from a breach involves financial, reputational and other harms that can persist for years. Mission accomplishment can be severely impaired throughout.
Gartner predicts that organizations will spend $187 billion on information security in 2023, up 11 percent over 2022 levels. It goes on to state that “effective enterprise cybersecurity requires deep technical, business and strategy expertise.” At the same time, Verizon’s 2022 Data Breach Investigations Report (DBIR) identifies four primary ways of breaching networks: credential theft, phishing emails, network weaknesses (e.g., misconfigured cloud storage) and botnets. It reports that the “human element” was at play in 82 percent of the breaches evaluated.
Individual organizations can thus expend untold millions on IT and information security, but the human factor can be the undoing of even the most sophisticated – and expensive – tools and technology acquired within the most rigorous governance framework. Two illustrations follow.
Individual organizations can expend untold millions on IT, but the human factor can be the undoing of even the most sophisticated – and expensive – tools and technology acquired within the most rigorous governance framework.
Credential theft plays a prominent role in security breaches (over 40 percent in the 2022 DBIR). Users are often tricked into revealing their credentials via phishing emails (discussed later), while bots employ credential stuffing, a process wherein cybercriminals purchase stolen credentials, often over the Dark Web, then deploy bots to test these credentials across multiple sites. As noted in an earlier Electroblog, users tend to use the same passwords for corporate and personal accounts, select passwords from just 20 categories and fail to update their passwords even when alerted to a possible compromise.
Some organizations still rely solely on a username/password combination to authenticate identity for purposes of logon or otherwise gaining system access. This practice is a huge IT governance mistake, especially for company resources accessible through the public internet.
Implementing mandatory multifactor authentication (MFA) for all users is an effective countermeasure. With MFA, the user must present two or more factors to authenticate identity to gain access to the system or cloud-based services such as email or SharePoint. The username/password combination usually is one factor; the other factor(s) can be something the user knows (e.g., a PIN or security answer response), has (e.g., a smartphone) or is (a biometric, such as a fingerprint). One-time passwords also are popular. These randomly generated four- to eight-digit codes are sent to the user’s email or phone for input on the site where access is sought.
Other forms of MFA include location-based authentication, which relies on IP address or geolocation, and adaptive authentication, which validates user identity based on behavioral/contextual factors and risk assignment.
MFA implementation must be accompanied by user training on the rationale prompting its use. Many find the addition of one or more new logon steps frustrating. Promoting understanding is the best way to ease adoption. This training also should emphasize regular password updates, if not already required by the system.
Many system users are naïve to the ploys phishing emails use. One 2017 article put this number at a startling 97 percent of people worldwide. Further, it reports that one in 25 phishing email recipients will click on the links/attachments to such emails. Similarly, the 2022 DBIR traced nearly 20 percent of breaches to phishing.
Email is the primary business communication tool because it is fast, inexpensive and versatile. For the same reasons, cybercriminals also use email in phishing schemes. Organizations must focus on ways to thwart its use in unauthorized network entry.
Email is the primary business communication tool because it is fast, inexpensive and versatile. For the same reasons, cybercriminals also use email in phishing schemes.
As a first line of defense, enterprises must configure their email settings to stop the delivery of phishing emails from external and spoofed accounts. Of course, enterprises must balance business communication needs with cybersecurity requirements. Four standards provide guidance in this regard: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication Reporting and Conformance (DMARC) and Mail Transfer Agent–Strict Transport Security (MTA-STS). Each comes with positive and negative attributes on email transit and receipt.
Organizations also must address user naivety through regular, ongoing user training. The curriculum should address the organization’s security policies as well as warn against phishing emails, unsafe browsing, downloading applications, connecting non-work devices to the network and using unsecured home networks. Regarding phishing emails, it’s important to teach users to check whether
Beyond ongoing training, organizations need to reinforce learning by intermittently sending users “test” emails that incorporate the above features.
• • •
Traditional understanding of IT governance focuses on aligning IT investments with mission objectives and deriving maximum value from efficient use of those investments. Important aspects include processes, structures, strategies and the like. As concern over information security deepens, it seems time for IT governance to place greater weight on the human element in its effectiveness and efficiency decisions.