Top Ten Data Threats and How to Guard Against Them: Human Error
Here at Futurex, we know a thing or two about data security. Most importantly, we understand that critical data is at the heart of any organization and protecting these assets from being compromised is essential. 2016 will bring new data threats to companies and businesses, and Futurex wants to help protect the health of your organization. Over the coming months we will present our own list of Top Ten Data Threats across the Globe and will offer solutions for organizations looking to bolster their data security infrastructure.
Number one on our list of data threats…employee error. In 2015 alone, the United States has exceeded 650 breaches in identity, exposing over 175 million personal records including Social Security numbers, credit/debit card numbers, e-mail credentials, and Protected Health Information. Roughly a quarter of those breaches were caused by employee error, employee negligence, or internal theft.*
That’s right, humans are not perfect. Binary digits, data scripts, and physical hardware, seemingly un-human things, are subject to the mistakes and often deliberate sabotage caused by the people working with them. Human interaction with data security infrastructures and environments presents a very real threat to any organization.
Employee error can be traced back to two sources:
- Limited education and resources
- Privilege abuse
Most importantly, employees working directly with cryptographic devices, data networks, confidential information, and the like need to be properly trained on security best practices. Something as simple as a secure password can make the difference between smooth sailing and disaster. This type of human error is preventable with recurring training and support.
Intentional data threats are harder to predict. This post is not intended to answer the question “why employees choose to abuse privileged information”, rather, it is to emphasize the importance of preparation and distribution of privileged information among key holders.
A multilayered authentication process protects organizations from excessive privileges for any one individual. Requiring unique login credentials from multiple individuals when accessing keys, certificates, and encrypted information helps protect against rogue users. An individual cannot gain access to confidential information on his or her own.
Protecting from excessive privilege is important, but too is respecting the principle of least privilege. This principle helps define information channels and restricts access based on a users’ job necessities. For example, employee John Doe is responsible for loading new keys into the Futurex KMES Series HSM, a key management server. The administrator can set limitations which only allows John Doe to load keys, removing the threat of malicious or unintentional key deletion.
As with the KMES Series, all Futurex cryptographic devices are engineered and designed with physical and logical security in mind. Devices come equipped with security measures that promote best practices across all platforms, such as multilayered authentication processes and the principle of least privilege. Our hardware devices are all equipped with a lock plate, accessible only from a unique set of barrel keys. Once the front cover locks are keyed shut with the two included barrel keys, it is not possible to open the unit without the correct keys or without destroying the case. Barrel keys are extremely difficult to duplicate, and both keys are required to remove the front cover of the unit and gain access. Futurex terms this type of metal, interlocking case a "Puzzle Box" design.
At the heart of all Futurex solutions is a FIPS 140-2 Level 3-validated cryptographic module. This cryptographic module performs all sensitive tasks within a tamper-responsive boundary that is instantly disabled and erased should any intrusion attempt occur or any out-of-bounds parameter be detected. Any attempt by an individual to physically infiltrate a Futurex device will cause the system to erase itself.
Education and distribution of privileged information are the two key factors in addressing this first global data threat, so make sure your organization heeds these factors well. For questions or advice regarding organizational education and careful distribution of privileged information, contact a Futurex Solutions Architect—and stay tuned for our next installment of Top Ten Data Threats across the Globe.
*Identity Theft Resource Center, statistics as of November 10th, 2015