[BreachExchange] Striking the balance between employee productivity and data security

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 3 20:12:57 EST 2017


http://www.itproportal.com/features/striking-the-balance-
between-employee-productivity-and-data-security/

There has been a definite increase in threats from data security breaches
in recent times. It seems that hardly a day goes by without a headline
proclaiming some sort of cyber attack.  In the last couple of months alone
we’ve seen a major breach at mobile service provider, Three and much talk
of state sponsored hacking in relation to the US presidential election.
More recently, it was revealed that as many as one billion Yahoo user
accounts have been affected in a hacking attack that dates back over three
years.  Typically, the perpetrators of these crimes remain hidden, leaving
most of us to wonder how such an incursion can be achieved, given the scale
of investment those organisations affected will have made in
cyber-security.

The bad news is that the threat of data security breaches looks set to get
worse.  The Internet of Things (IoT), with its seemingly insecure network
access points and the explosion of mobile devices that connect so readily
to the networks we depend on in our private and work lives, provide
opportunities for the unscrupulous to hack into sensitive and private
data.  It seems that even the cameras and voice recorders on our mobile
devices can be turned against us – hi-jacked by malware introduced
unwittingly to ‘spy’ on meetings and conversations.  Ian Fleming would have
had a field day with such a prospect.

Hackers themselves are changing tack.  Instead of spending long hours
trying to crack the security surrounding a corporate network, how much
easier to simply dupe an employee into giving you their trusted login
details – as was suspected in the Three breach mentioned above.

Back in the day it all seemed so much simpler. When people talked about
‘connected devices’, they were referring to desktop computers or terminals,
which were connected to internal networks or remotely by private networks.
System administrators had complete control over who could access what and
everything else was safely managed in secure data centres. Nowadays, the
growth of remote workers and flexible working patterns has changed all of
this, resulting in a mobile revolution.  And with it has come an explosion
in threat levels.

In today’s workplace, there is very much a culture of BYOD (bring your own
device) with employees encouraged to use the software and tools that they
feel most comfortable with. This combined with the use of collaborative
working tools like Dropbox, Evernote, OneDrive and Google Docs has created
something of an ‘alternative’ IT structure, where the boundaries between
personal and business use are blurred and network communications are
facilitated by devices designed to make this as quick and easy as possible.
What’s more, these technologies engender a sense of collaboration and
efficiency amongst users and this promotes a belief that they are actually
working in the best interests of their employer.  In most cases this is
probably true, which is just as well since the underlying technology is now
embedded in the developed world’s work/life culture.

But this presents organisations with a real paradox, particularly major
corporates that have large numbers of users and huge amounts of sensitive
data. On the one hand, organisations want to maximise employee performance
and increase productivity, innovation and collaboration, all of which are
enabled and, indeed, enhanced by mobile technology. On the other, many
mobile apps don't meet corporate standards for data protection and
encryption. These apps can also consume large amounts of bandwidth from
corporate networks and, as a consequence, can have a significant impact on
performance as well as cost.

All this presents a real challenge to organisations already under pressure
to reduce the spiralling costs of cyber-security and there is a growing
sense that to further empower the productivity of employees and teams
through the use of mobile technology, whilst protecting sensitive data,
will require the adoption of new strategies for cyber security.

Of course, this is easier said than done, users are now ‘connected’ to
their mobile devices via lifestyle choices. Millennials and younger
generations are 'natives' to this technology and it is questionable whether
this bond can ever be broken. Resistance to the introduction of
restrictions around devices will no doubt be strong but the balance must be
struck in order to achieve a successful and secure working environment.

It's important to get the basics right and a scan of the industry media
indicates a growing consensus on the must haves: clear policies on device
usage and security, a proactively promoted culture of security, and regular
awareness training. These factors need to be implemented company-wide but
are particularly important for so called privileged users, who, as
indicated earlier, are arguably now more at risk of being targeted by the
cyber-criminal fraternity.

Organisations can and should make better use of existing technology and
procedures such as multi-factor authentication, or 2FA, which requires not
only a password and username but also something that only that user has
access to, such as smart keypad. Admittedly, this technology has been
around for some time and may sound relatively unsophisticated but simplest
is often best.

Companies should also begin to encourage the adoption of compliant
technology. I read in a recent report that a number of large US based
financial service organisations have begun to provide their employees with
corporate issued smartphones. By doing this, these organisations were able
to provide a user experience to all of their employees similar to that
enjoyed when using their personal devices, thereby encouraging uptake
whilst ensuring appropriate levels of security.

The report concluded that in such circumstances fewer employees were using
personal devices for business. At the extreme end of the scale there is a
growing school of thought that suggests the entire security model should be
rethought. For example, in this article on The Register, it is suggested
that the answer is to put less focus on preventing unauthorised access and
more on monitoring what's actually going on within the network. This
postulates on the development of automated security where machines look
after themselves. Whilst fans of the Terminator movies may equate this to
Skynet, the developments currently happening in artificial intelligence
technology make it all the more plausible in the near future.

As the report indicates, the mind-set must be to assume that your data will
be hacked and stolen at some point. It argues that, rather than spending
incrementally more to prevent unauthorised entry, organisations need to
begin developing strategies that work from the inside out to nullify the
threat, or design solutions that make stolen data useless.

Today it is more a question of not if, but when an attack will come,
therefore organisations must be armed with intelligence that allows them to
get to the root cause of the attack and remediate fast.  In addition to
this, if organisations can develop the capability to prioritise, they can
remediate the most dangerous threats first. Achieving this kind of step
change would certainly help strike the balance between increased mobile app
usage and data security.

It is a constant battle between the good guys and the bad, each seemingly
leapfrogging the other. The bad guys can also sometimes be entire countries
and state sponsored hacking is a clear and present threat, taxing the minds
of many governments. The UK is already planning to spend £1.9bn on cyber
security in the face of what Philip Hammond described as a ‘sovereign
threat to the UK's cyber space’.

Cyber-security is a strategic issue that all organisations must face up to
as the threats and consequences of data theft increase in proportion to the
rewards enjoyed by the perpetrators. Whatever strategy you adopt be
prepared to play a long game. Until network security can indeed look after
itself, it will be necessary to constantly adapt and change to protect your
sensitive and valuable data and the fortunes of your business.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170103/5ff0268a/attachment.html>


More information about the BreachExchange mailing list