What is human layer security?
Put simply, an organization’s “human layer” is its people. It’s all the employees and contractors on the payroll who carry out daily tasks to help the organization function and achieve its business goals. And your human layer can actually cross over with other organizations’, as your employees collaborate on joint tasks with suppliers and third parties.
Taking a layered approach (also known as a “layered defense”) allows organizations to combine multiple security controls and solutions to implement a robust security strategy. Layered approaches are by no means unique to data security; many organizations also work to secure their “physical layer” as an important way to prevent theft or destruction of property, and protect organizations from manmade and natural disasters that would put the continuity of their services at risk. In data security, a layered approach allows an organization to take a 360 view of their data security in order to mitigate potential attacks or loss to allow for compliance with data privacy regulations, improved efficiency, and business continuity.
Traditionally, when the data security industry has talked about security layers, they’ve referred to technical controls. We’ve talked about firewalls, spam filters, antivirus software, identity management systems, demilitarized zones, and even email and file encryption.
The human layer has been a relatively new addition to these conversations in recent years – but a very necessary one!
Organizations are now creating, collecting, storing, and transferring more digital data than ever before. And people interact with this data at numerous points during its lifecycle. We’re not only talking about data contained in structured formats in databases – if an employee simply creates an email containing a client’s or service user’s personal information, that email (in its unstructured format) becomes sensitive data that needs the appropriate security applying to it. Magnify this by all the documents that employees may create or access that contain sensitive information, and add to it not just email but the numerous ways they might choose to access or share this data (using collaboration platforms, file transfer services, even SMS!), often from various locations as they work in the office or remotely, or even on the move using mobile devices.
On top of this, we also need to consider how employees can be targeted by cybercriminals. For example, spear phishing and business email compromise (BEC) attacks are now more prevalent than ever – often targeting employees and tricking them into carrying out fraudulent actions, for example paying invoices to a scammer’s bank details or purchasing online gift cards to give to clients “on behalf of the CEO”.
So, it’s little surprise that organizations are putting increasing amounts of resources into human layer security.
The first thing to note is that people will always be unpredictable. Giving (or trying to give!) users tools to do their jobs securely is nothing new – but ensuring they use them is an issue that has plagued CISOs and security professionals for years!
Traditional DLP and security solutions have struggled to secure the human layer because they rely on either:
- Static rules (i.e. encrypting emails based on key words)
- Or users’ actions (i.e. a user chooses whether or not an email will be encrypted)
In practice, the static rules haven’t been able to evolve as an organization, and its security threats, have evolved. And people are flawed: they will inevitably forget to encrypt content, or simply choose not to because it adds extra steps into their workflows. They can also act maliciously and exfiltrate data from the organizations they work for and with.
How to implement human layer security
To effectively implement human layer security, you need to consider three key questions:
- Are the solutions you’re putting in place easy for employees to use? Inevitably, if a security solution is difficult to use, sooner or later it will be avoided. Security tools need to engage users in the process, helping to educate them on the necessity of protecting data.
- Does it add value to day-to-day tasks? Where a solution adds tangible value, it then becomes much more likely that someone will want to use it. At Egress, we challenge ourselves with providing solutions that a user would request to have re-installed on their desktop should they ever find themselves without them (see below for how we do this!).
- Is it possible to automate some or all of this security process? Automating security wherever possible will help to reduce and, hopefully, remove users’ pain points – and ensure you’re not relying on fallible people to make security decisions.
At Egress, we’re working to improve human layer security using machine learning. We focus on email security, so my example here references the technology we deliver so that you know it’s really achievable to do these things.
When someone sends an email, they carry out a number of actions (in various orders):
- Add recipients to the To, Cc and / or Bcc fields
- Add a subject and content to the email
- Add any relevant attachments
There are three opportunities here for an email data breach to occur:
- The incorrect recipients are added to the email or they’re added to the To / Cc field when they should be in the Bcc field
- The right recipients are added but the incorrect document is attached or there are extra tabs containing sensitive data included on a spreadsheet (or elsewhere within a document)
- The email and its attachments are inadequately protected, and consequently the senders’ organization doesn’t have the necessary assurance and control over the content that’s been shared
To overcome all three of these scenarios, Egress uses machine learning and graph database technology to provide human layer security. Risk-based assessments are applied in four areas:
- Recipient domain: Takes into consideration the age of the recipient’s domain, its authenticity, and whether DKIM and SPF are setup. The Egress platform also analyzes any history of secure communications with the recipient domain to help build this trust score.
- The sensitivity of the content being shared: Email body and attachments are inspected using content analysis to determine that the right file has been included, and that correct level of protection is applied to secure data in transit and at rest.
- Sender history: Understanding the history of the sender’s email communications, including all recipients emailed in the past, to alert them to potentially incorrect recipients.
- Recipient information: The history of communicating securely with the recipient, including geographic and system information regarding where data was previously accessed.
Users are notified if the system determines that one or more incorrect recipients have been included, or if the Bcc field should be used instead of the To / Cc field. It will also notify administrators of suspicious activity when employees may be exfiltrating data.
In this way, the solution meets the three key points required for human layer security:
- It is easy for employees to use: We take a light-touch approach, waiting beneath the surface until a user needs us to notify them of a mistake.
- It adds real value to users’ day-to-day tasks: Misdirected emails can be inefficient and embarrassing at best; at worst, they have ended people’s careers.
- It automates decisions wherever possible: We can prevent emails being sent to incorrect recipients and would recommend enforcing the appropriate level of security by default as content is shared via email.
So you can see: While human layer security has been a pain point for many security professionals and their organizations, technical innovations exist that can help reduce friction, minimize disruption, and ultimately predict the unpredictable!
If you’d like one of the Egress Team to show you how the software looks in action, please get in touch.