[BreachExchange] Achieving a secure network in the era of the millennials

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jan 23 18:56:58 EST 2017


http://opensources.info/achieving-a-secure-network-in-
the-era-of-the-millennials/

Of all the tough gigs that IT get tasked with, keeping an organisation’s
network safe and secure is near the top of list. And it’s getting higher as
hacking incidents dominate the news agenda and cyber security becomes very
much embedded in the public conscience.

It’s a job that’s only going to get tougher; one big reason being the rise
of millennials in the workplace.

Millennials – those in their 20s to mid-30s – are starting to dominate
workplaces around the world. It’s a demographic group that will account for
half of the global workforce by 2020, according to PwC.

The term “millennial” has many connotations. Among them: they like sharing
on social media. They won’t put up with bad user experiences. They want a
flexible approach to work. Their loyalty to their company can plummet at
the drop of a hat if their expectations are not being met.

These characteristics will define the culture of the future workplace. They
will also put the current network security regimes of many organisations to
a stern test.

Here are three considerations for IT to take into account:

Social media: to block or not to block?

Many organisations have probably considered this question when it comes to
their employees’ use of social media in the workplace.

A study by HR software provider CareerBuilder found that 37% of employers
see social media as one of the major productivity killers at the workplace,
behind mobile phone and texting (55%), using the Internet (41%), and
gossiping (39%).

Three-quarters of employers say two or more hours are lost a day in terms
of productivity because employees are distracted.

>From a network security perspective, social media is a vector for malware
and socially engineered attacks. There are many links that, while shared
innocently, end up bringing users to compromised websites. And even if
employees use social channels in a professional way, their friends and
contacts are under no such obligation.

It is easy to ban or restrict social media sites at the network level.
Static URL filters in Web filtering software can block or monitor specific
URLs.

The category-filtering feature can block entire groups of websites. But
that doesn’t mean CIOs should start blocking social networks at the
workplace.

An alternative, and better, approach is to reexamine how network security
is being enforced holistically across the business. Having a clear social
media policy and training for staff is a solid foundation.

For instance, sales staff should be regularly reminded of the security and
business risks that might result from checking in their locations at
customer sites via social channels like Facebook.

The most important safeguard, though, is to have a robust, layered security
infrastructure. It is a surer bet than having to rely on employees never
erring in their clicks, taps, and swipes with their social media accounts.

Security: know thy layers

With the changing workplace habits brought on by millennial workers, CIOs
should relook at how they are setting up each layer of security within the
business.

Layered security, whereby different layers of security controls combine to
protect data, devices, and people, ensures that when attacks occur they can
be detected and stopped before they spread. Whether at the network,
application, device, or user level.. It also offers an effective safeguard
against different types of threats.

Consider, for instance, the use of personal devices in the workplace.
According to a McKinsey & Company study, around 80% of enterprises now
allow employees to use personal devices to connect to corporate networks.
And increasingly, employees expect their IT departments to support their
personal devices with access to corporate applications like email and
calendar.

It’s no secret that BYOD poses a number of new security threats.

What BYOD does mean is that CIOs should prioritise bolstering security at
the device layer. The first step to take is to shore up the devices
themselves through mandating some combination of firewalls, anti-malware
software, MDM (mobile device management) solutions, and regular patching.

A BYOD culture also puts organisations at risk from having their employees’
smart devices hacked because of poor passwords. Having policies and
education on strong passwords are absolutely essential.

Device types can also be identified so that less secure devices, such as
mobile phones, can be restricted from some parts of the network. Sessions
should also be secured, such as by preventing users from visiting unsafe
websites.

Similarly, defences of the user layer should also be shored up to mitigate
the rising risks of internal threats. This layer is often the trickiest to
manage due to the need to balance security and convenience.

You can also use a variety of authentication methods to identify network
users and allow varying levels of access. Instilling awareness and
educating staff are important steps to take.

Tackle shadow IT

The uncontrolled nature of shadow IT poses a major security threat and
governance challenge.

Consider the scenario of employees using their smartphone to open a file.
It is likely the phone will make a copy of the file, which could then be
sent to an unapproved online storage destination when the phone performs
its routine automatic backup. Just like that, secure corporate data has
been moved to an insecure location.

In the same way, the many social collaboration apps favoured by millennials
can shift sensitive company information to insecure locations.

Unfortunately, mandating that staff stop using non-sanctioned devices and
applications is unlikely to stunt their growth in an organisation.

Frankly, with the ubiquity of smartphones, employees are going to use
social networks and their personal cloud apps whether your policies prevent
it or not.

What could be more effective is to educate users, as well as implement
technology – such as data encryption, access control, and traffic
monitoring – to manage the issue.


Shadow IT most of the time reveals a wider issue within your organisation.
It usually happens when staff are not happy with the solutions provided by
the business.

While CIOs may not be able to prevent staff from seeking out alternative
apps for, say, collaboration, they can keep things in check by being
attuned to their needs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170123/cb8cca16/attachment.html>


More information about the BreachExchange mailing list