Modern businesses have a growing reliance on SaaS applications that are aiding in their consumption and sharing of data, enabling critical decision-making, customer interactions, and operational processes. This reliance on a sprawling SaaS infrastructure is, however, escalating the threat landscape characterised by sophisticated cyberattacks and evolving vulnerabilities. In this context, the role of individuals within an organisation has become increasingly pivotal in ensuring a resilient data security posture.
Our fireside chat with Susan Richards, VP of InfoSec at Tend, explored the profound impact that employees at all levels, have on an organisation's data security posture. While technological safeguards such as firewalls and encryption remain essential, they are only part of the defence strategy. It's the human factor, with its capabilities and limitations, that often determines the success or failure of data security measures.
Here's what we learned:
During the conversation, Susan mentioned that she had recently been reading Verizon's 2023 Data Breach Investigations Report which revealed that 74% of the breaches they had investigated involved a human element.
"It's definitely not something that's going away," she said. "With all of the spend that we have on security tools, there's still so much that gets through the people. And so to use the term 'Human Firewall' - that resonates because these people really are that first line and the last line of defence."
And why is it that the numbers are so high? Susan explained that in the past, it was easier to control the perimeter of the corporate setting. But now, with more companies, including Tend, being built in the cloud, organisations can become overly reliant on cloud providers' security measures without taking full responsibility themselves.
To bridge the gap between the security team and the wider workforce, security professionals need to make themselves known within the company. When she joined Tend, Susan wanted to make a great first impression; rather than introducing herself as 'Susan Richards', she coined the name 'Sue-curity' which helped her engage with both the People team and the Marketing team who loved the idea of Susan using a memorable moniker.
Making herself a familiar face in the office and across different dentist studios was also key to engaging the team with data security issues. "I've made a point of visiting all the studios across DC and Boston. And I also try to personalise things," she says. In one of the emails she sent to the team, she referenced her daughter visiting Tend for a cleaning, and taking a selfie to show her mother that she was indeed in her workplace. "She didn't realise that her medical record was behind her. At first, I was reading it thinking, 'oh that's great,' and then I said, 'wait, before you send it anywhere, blur out the background.' I used that as a topic for my weekly email and people could relate to the idea that I'm imperfect too."
Rich discussed the idea that employee training is often discussed in the security world, but empowering employees may be a better way of keeping staff engaged with security concerns.
"When you're training someone, it's telling them what they need to do and giving them the textbook approach," he said. "However, empowering someone might be giving an employee the training, but then empowering them to go and train others or to keep training themselves in the future if another type of attack appears."
Susan agreed, and told us about how she revisits certain processes and tools to ensure the team is using them in the correct way. "We had installed a secure email system for outbound email and it was a matter of teaching people, 'here's how you use it.' It first came out in January, but we revisited it in March to say, 'if you're sending this type of email with a treatment plan on it, send it via the secure email system.' It was just a matter of repeating it."
Enabling employees to use the SaaS tools they need to get the job done is vital in a fast-growing business. But how can organisations manage their data security posture without getting in the way of employees doing their jobs?
"It's a difficult problem to solve," Susan explains. "There has to be balance. We make sure we don't have a lot of lateral movement that's available. It really is about taking that least privilege approach. You try to minimise that so that when somebody clicks that link, the damage is limited to a small subset of data and it's not the entire organisation in danger."
Having a competitive streak within your team can benefit security leaders. Susan says, "When I do quarterly training, each studio competes with the other studios to see which studio can complete training first. They'll get some Tend swag - whether it's a cup, or a squeezy toy, or something that's fun. So we'll do that and put it out on our intranet so everyone can see the competition as it's coming through."
No matter how big the prize, keeping your staff engaged with competitions and incentives can be the difference between them being aware of security threats or not.