Full Report
New CyberArk research finds Australian employees choosing convenience over cyber security policies.
Analysis Summary
# Best Practices: Mitigating Human Risk and Reducing Access Abuse
## Overview
These practices address the critical security gap where employees bypass established cybersecurity policies for convenience, leading to increased organizational risk. The focus is on mitigating human-driven behaviors such as password reuse, use of insecure personal devices (BYOD), unauthorized AI tool usage, and bypassing standard security controls.
## Key Recommendations
### Immediate Actions
1. **Enforce Universal Multi-Factor Authentication (MFA):** Mandate MFA for *all* access to work/business-critical applications immediately, as relying solely on MFA is insufficient long-term but necessary now to prevent basic credential stuffing.
2. **Audit and Restrict Sensitive Data Access:** Immediately review and reduce the default permissions for entry-level employees, especially access to critical data, confidential modification capabilities (e.g., data alteration, large financial approvals), unless strictly required by role.
3. **Block Unauthorized AI Tool Usage:** Implement technical controls (e.g., network filtering, DLP policies) to prevent the input of sensitive corporate data into unapproved, unmanaged generative AI tools.
4. **Begin Credential Cleanup Campaign:** Initiate an organization-wide campaign to identify and remediate password reuse, specifically flagging any known reuse between corporate and known personal accounts if feasible.
### Short-term Improvements (1-3 months)
1. **Implement Least Privilege Access Model:** Review and strictly enforce the principle of "least privilege" across all job roles, ensuring employees only have access necessary to perform their immediate tasks—particularly concerning data download and alteration capabilities.
2. **Deploy Modern Endpoint Security on BYOD:** For employees accessing work applications on personal devices (which is a high percentage), promptly deploy endpoint security solutions that enforce minimum security baselines (e.g., mandatory disk encryption, presence of active security software) without logging personal activity.
3. **Mandate VPN/Secure Tunneling for Remote Access:** Enforce the use of VPNs or secure organizational tunnels for *all* connections to work resources from non-corporate networks (including personal Wi-Fi hotspots).
4. **Roll Out Policy Communication Campaign:** Launch targeted, engaging communications explaining *why* security policies exist (linking policy to convenience/productivity barriers) rather than just stating rules, specifically addressing password reuse and personal device usage.
### Long-term Strategy (3+ months)
1. **Adopt Identity Security Solutions:** Implement advanced identity security platforms that focus on monitoring post-authentication behavior and managing access entitlements across various environments (cloud, on-premise).
2. **Integrate Security into Workflow Tools (Identity-Centric Approach):** Introduce productivity tools that integrate security seamlessly (e.g., passwordless/passkey solutions, approved secure in-house AI sandboxes) to reduce the friction that drives employees to bypass policies.
3. **Establish Continuous Security Awareness Training:** Develop mandatory, role-based training cycles that specifically address modern risks like AI data leakage and the risks associated with sharing confidential information externally.
4. **Develop a Structured Patch Management Process for BYOD/Personal Devices:** Create a clear, well-communicated policy requiring timely security updates on personal devices used for work, perhaps by integrating compliance checks into the access mechanism (though enforcing updates on wholly personal devices remains challenging).
## Implementation Guidance
### For Small Organizations
- **Focus on Low-Friction Security:** Prioritize implementing password managers integrated with SSO/MFA to eliminate the need for manual password reuse.
- **Strict BYOD Policy Enforcement:** Start by restricting access to the *most* critical/sensitive applications from personal devices unless they pass a basic security check (e.g., active OS security reporting).
- **Single Point of Control:** Ensure all cloud services utilize a single centralized identity provider (IdP) to govern access and enforce MFA uniformly.
### For Medium Organizations
- **Role-Based Access Control (RBAC) Refinement:** Conduct formal RBAC reviews to map access levels against actual job functions, paying close attention to high-risk departments like Marketing and IT.
- **Security Tool Implementation:** Invest in tools capable of monitoring and managing privileged access across broader infrastructure, addressing the scattered nature of high-risk access.
- **Pilot Identity Lifecycle Management:** Begin formalizing provisioning and de-provisioning processes to ensure immediate access revocation upon role change or departure.
### For Large Enterprises
- **Automated Entitlement Review:** Implement processes to continuously audit and automatically remediate excessive or standing privileges across interconnected systems.
- **Zero Trust Architecture Implementation:** Accelerate the move toward a Zero Trust model, ensuring every user, device, and application connection is verified regardless of network location.
- **Secure AI Framework Integration:** Develop and clearly communicate organizational guidelines for secure use of generative AI, ideally by providing pre-approved, secure AI corporate platforms that eliminate the incentive to use external tools.
## Configuration Examples
*Note: Specific configuration snippets require knowledge of the deployed tools (e.g., specific MDM, IdP, or firewall vendor). The guidance below is conceptual.*
**Configuration Principle: Enforcing Secure Access Context**
If using an Identity Provider (e.g., Azure AD Conditional Access, Okta Adaptive MFA):
1. **Policy:** Access to 'Financial Data Repository' application.
2. **Conditions:** User location is 'Outside Corporate Network' AND Device platform is 'Personal OS' (not corporate managed).
3. **Action:** Grant Access ONLY If: MFA is Strong (e.g., biometrics) AND require use of organizational VPN/Secure Tunnel Endpoint.
**Configuration Principle: Blocking Known Risky Traffic (AI)**
1. **Firewall/Proxy Rule:** Create a rule blocking connections to URLs or domains associated with high-risk, unmanaged AI services that accept file uploads or large text inputs.
2. **DLP Integration:** Configure Data Loss Prevention (DLP) to flag and block copies of sensitive data patterns (e.g., PII lists, proprietary source code signatures) being uploaded to unapproved external cloud storage or communication channels.
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Identify (Asset Management, Risk Assessment), Protect (Access Control, Data Security), Detect (Continuous Monitoring).
- **ISO/IEC 27001:** A.6 (Organizational Information Security Policies), A.9 (Access Control), A.12 (Operations Security - Patch Management).
- **CIS Critical Security Controls (v8):** Control 5 (Account Management), Control 6 (Access Control Management), Control 14 (Data Recovery), and Control 17 (Security Awareness and Skills Training).
## Common Pitfalls to Avoid
1. **Over-relying on MFA Alone:** Assuming MFA solves all identity risk; it does not stop account takeover if credentials are stolen via phishing or malware acting post-authentication.
2. **Implementing Policies That Stop Work Entirely:** Policies that are too restrictive or cumbersome (like demanding employees update personal devices instantly) will inevitably be bypassed, leading to "shadow IT" environments.
3. **Treating AI as a Temporary Fad:** Ignoring or banning AI tools entirely will push their use further underground and into unsecured consumer platforms.
4. **Inconsistent BYOD Patch Enforcement:** Applying strict patch requirements to personal devices without providing organizational remediation tools or flexibility often results in policy non-compliance being hidden from security teams.
## Resources
- **Identity Security Architecture:** Review documentation specific to your Identity Provider (e.g., **[Vendor Name]** Identity Security Best Practices).
- **Least Privilege Implementation Guides:** Consult vendor documentation for implementing **Privileged Access Management (PAM)** solutions.
- **Secure AI Usage Guidelines:** Develop internal documentation based on legal/compliance requirements regarding data residency and data handling when using large language models. (Search for **"Enterprise Guidelines for Generative AI Use"** from reputable legal/security sources).