Managing and mitigating IT risk behaviors; why it’s important
When discussing threats facing your IT and data infrastructure you first consider what’s external. Malware gangs, phishing schemes, and viral payloads are a handful of dangers security teams must take into consideration. However, it’s important to recognize another serious concern: internal threats.
Risk behavior is one of the primary dangers threatening to compromise even the safest IT infrastructure. But what is a risk behavior? Simply put, it’s a pattern or action performed by a staff member (or members) creating dangerous scenarios for the enterprise. A majority of the time it’s accidental or indirect. In other cases, some intend to harm an organization.
Scenario aside, recognizing risk behaviors is important for long-term security.
What are specific risk behaviors?
Again, a risk behavior in context of business environments is any action creating potential harm to said business. Specifically related to data sharing and internet-facing activities. Today, modern companies heavily rely on technology to accomplish work tasks. They also use the internet for a wide variety of functions. Therefore, staff within these industries use the same technology, like the internet, and that’s where risk adjacency begins.
For instance, risk behavior can lead to Shadow IT. When workers use non-business apps, programs, and websites they create blind spots. Business cybersecurity policies rely on insights and visibility; knowing all the programs involved with business functions. However, when users engage in risk behaviors they indirectly help cultivate Shadow IT.
Downloading programs or apps on a business device (or device used for enterprise activity) is an example of Shadow IT. The downloads were not authorized, and the apps can contain sensitive data. Combined with other risk behaviors like using the same password for business accounts, it creates a web of problems. If the device is compromised or one of the apps is breached, hackers have access to that information. Normally, login info is the first thing malicious actors seek. If said login data is the same info used for business accounts, hackers have an easy way to access a corporate network.
That is only one example of Shadow IT and risk behaviors. There are a myriad of unsafe habits threatening both personal and professional security standards.
Risk Behavior Examples
Let’s quickly look at specific IT-adjacent risk behaviors. And you never know, these could be happening in your business right now.
Shadow IT, Password Sharing
We briefly gave an example of Shadow IT and what it means. Password sharing is another characteristic of Shadow IT and dangerous for a network. Login redundancy means it’s easier to guess, brute force, or otherwise steal admin credentials. Sharing passwords also means staff are potentially accessing business resources they are not authorized for.
This is a characteristic of networks that are not properly segmented.
While it’s common and convenient to establish BYOD (bring your own device) policies, it’s a problem when staff members onboard devices that are not approved. The use of a personal laptop, for example, is convenient for the user. However, is it protected with anti-virus? Does it house sensitive files without proper encryption or backups? Does it interact with protected networks?
These are questions that are hard to answer if a device isn’t sanctioned by the enterprise. If you intend to onboard a BYOD policy, ensure you have proper guidelines established for users.
Mishandling of Files
Data is incredibly valuable today. Transfer and access to company info are fundamental to agile productivity. But because of that value, it’s a high-priority target for malicious actors. It also means an enterprise is especially vulnerable if access to their files is compromised.
It’s why another high-risk IT behavior involves the mishandling of files and data. Common instances involve saving, sharing, sending, and/or transferring files to personal storage. Whether that’s external media like a flash drive or cloud services such as Google, OneDrive, or Dropbox, the problem remains the same. High-value information is saved in external spaces not protected by business cybersecurity. If the user’s device is compromised, so is all the valuable info on it.
While sometimes useful for collaboration, it indirectly threatens data safety.
Reducing Risk Behaviors
Risk will always remain a characteristic of modern business ventures. Our reliance on technology for personal and professional tasks puts us in danger as much as it helps us. Therefore, risk management and risk behavior mitigation need to be approached with realistic expectations. It’s always there, and that’s okay. The key is reducing and addressing easily avoidable behaviors.
Every organization and enterprise is different. Therefore, creating policies matching your organization’s goals will yield the best results.
In our next article, we’ll break down the primary ways to both address and reduce IT-adjacent risk behaviors.