[BreachExchange] IT Weaknesses – The Barrier To Enterprises Becoming Security-First

[Destry Winant]

https://www.informationsecuritybuzz.com/articles/it-weaknesses-the-barrier-to-enterprises-becoming-security-first/

Enterprises are increasingly recognising the benefits of embracing a
cloud infrastructure to support on-premise networks, but often create
complicated network environments in the process. Recent OneLogin
research revealed that 94% of global CIOs are in agreement saying the
corporate technology stack is becoming increasingly complex – with
more apps (both cloud and on-prem), data, devices and transactions
than previously known[1]. Running systems via the cloud offers
efficiency and productivity to better support large distributed
workforces, no matter where an employee is based. As a company evolves
it can often outgrow its on-premise network. Consequently, IT
strategies must be created to futureproof networks, as well as protect
customer and employee data.

The influx of new applications onto enterprise networks shows no sign
of abating, threatening networking security posture. OneLogin research
found that two-thirds of UK enterprises expected to deploy up to 100
new commercial SaaS and on-premise apps in the last year. This high
frequency of large-scale app deployment to enterprise networks means
it is critical that enterprises develop a security-first strategy to
encourage healthy hybrid-network environments. Such strategies are
imperative to calm chaotic networks overwhelmed by the constant
on-boarding of applications. Just like spinning plates, it is only a
matter of time until a chaotic and fragmented hybrid network wobbles
and the entire enterprise network collapses.

To ensure enterprises’ networks remain agile and secure, IT
decision-makers and professionals should consider the following points
to encourage a companywide security-first culture:

1. Single source of truth

Multiple directories mean multiple vulnerabilities. Whether
directories are in the cloud, on-premise, or both, they need to be
managed from one unified system that’s adaptable and scalable.

2. Manage access for employees and end-users

81% of hacking-related breaches involve stolen or weak credentials.
Single sign-on (SSO) and multi-factor authentication (MFA) work
together to strengthen credentials and protect data from unauthorised
access – across all users’ devices and apps.

3. Onboard and offboard efficiently and securely

As enterprises continue to grow, HR and IT departments are tasked with
getting new employees onboarded quickly, and offboarding ex-employees
just as fast, if not faster, to stay secure. With large enterprises
hosting 250+ employees, new staff need to be added every week and,
likewise, staff also leave every week – placing a strain on HR and IT
teams. To simplify processes, run them most efficiently and put
security-first, enterprises should invest in automated processes and
tools. An “instant kill switch” for deprovisioning and real-time
directory synchronisation can dramatically reduce time spent on IT
administrative tasks and greatly reduce the risk of ex-employees
leaving with sensitive information that could be sold to competitors.

4. Security versus usability – getting the balance right

To encourage employees to follow security protocols and buy into a
security-first culture, additional security processes must make the
tools they use to do their jobs easier to use. Otherwise, employees
will be reluctant to adopt them and will find a way to circumnavigate
security protocols, essentially leaving the business they work for
open to malicious cyber criminals.

It can be all too easy for employees to sign-up to and download new
applications on corporate and even personal devices they use to work.
Some employees even pay for these applications out of their own pocket
to circumvent going through tedious HR and IT protocols.

To succeed in 2019, enterprises must find a balance between usability
and security to become a security-first organisation, or face becoming
security-last and at the mercy of cyber criminals. Not only will an
organisation’s inability to prioritise security cost the company its
sensitive data, but it will also incur regulatory fines for not
complying with data privacy laws, such as the European General Data
Protection Regulation (GDPR) or the US’ Data Privacy Shield.

Google recently, and publicly, came under regulatory scrutiny by the
French National Data Protection Commission (NCIL) following two
breaches of GDPR compliance due to a lack of transparency around how
to access data policies and Google’s lack of valid user consent
regarding the personalisation of ads[3]. As a result, Google has
received a fine of €50m, the largest fine since GDPR came into force.
The impact beyond the fine is on Google’s reputation among consumers
and Google users.

With this in mind, a security-first strategy and posture must be
reflected in an organisation’s vendor selection processes and
positively influence the end-user experience every step of the way. If
organisations fail to acknowledge the importance of a security-first
culture throughout decision-making processes, they will risk
circumvention and hefty regulatory fines, damaging their reputations.