The phrase ‘it’s just human nature!’ is more than a cliché. Cybercriminals already appreciate this notion, as evident in the rise of successful phishing and other social engineering attacks. An understanding of the human condition is just as important from the IT defender’s point of view when building a secure infrastructure. To offer a simple example: almost everybody at some point will use or be invited into a group on a file sharing service like Dropbox. Yet, how many files have you been given permission to access that you no longer actually need? A look down the access list of many Dropbox groups will find a lot of names that really shouldn’t be there. Not to pick on Dropbox, but it doesn’t have a mandated expiry date for group access, and although removing permission takes just a few clicks, it is often overlooked for the sake of convenience.
Build a better mousetrap
This desire for the route of least resistance is a key part of the IT security problem. In many organisations, the use of such file sharing applications is forbidden, as they offer limited security and audit functions. Yet many workers still covertly use these apps not because they are malevolent, but simply to get the job done. IT may step in and create a security policy document forbidding such use and place controls to block usage. And if the need arises, staff will just find another and potentially riskier path to get the job done. The better alternative would be for the IT department to setup a corporate managed secure collaboration space, promote its use and offer support and training to users.
However, as staff clock out for the day and leave work behind, the IT security responsibility does not end. The concern is the plethora of mobile devices such as smartphones, tablets and laptops used across both environments, as analyst firm Gartner estimates that over 40 per cent of people use personal mobile devices for work. Although people are becoming more aware of the threat of cyberattacks, the reality is that personal online activity is often riskier at home compared to the shield of the corporate IT security wall.
But with a whole host of moral, privacy and technical issues, few organisations can ever truly lock down a user’s personal device to the same level as a corporate desktop PC. The solution is to again look at human nature. People care most about how things impact them, and if IT security is built into a device and simply managing all core security functions without imposing on the user’s personal activities, almost everybody is happy.
Securing the device
Implementing host checking to ensure that the user’s device is not compromised is a win-win for all involved. Creating a separate and secure workspace on each device for downloading documents and other collaborative tasks that are managed by the IT team is a simple and zero impact method of further enhancing security. By ensuring that access is only available via secure VPN connection from the workspace to datacentre, without knowing it, the user and the device are now a secure endpoint within a much better framework of end-to-end security. The list of security enhancements is potentially endless, but the critical factor for success is getting users to understand that the benefit is not just for the company, but for themselves. A secure device means less chance of personal identity theft or potential for a breach into their Internet banking credentials.
Organisations can go to great lengths to protect security. From searching the trash of employees to see what they are not securely shredding, to even calling staff to see if they will fall for phishing scams – all in the name of training and ultimately protecting the company. Yet the internal security process should start with proper training that is not just based on what employees can and can’t do but the why. Simple lessons on why opening an .EXE or even PDFs from an unknown source, or why using your birth date as a password can cause problems, can be extremely valuable.
This educational process is just as vital as having seamless and relatively transparent IT security controls in place and can also lead to some significant ancillary benefits. Once users start to understand the fundamentals of IT security and start to naturally behave in a more secure fashion, this mindset will spread across their corporate culture. Security then doesn’t become a burden, but becomes a way of operating, acting as positive reinforcement leading to better judgments. Security aware users will think twice before using a third-party file-sharing service or clicking on a link for a ‘too good to be true’ offer sent from a less than reliable or unknown email source.
However, this educational process is not a one-time deal. As is human nature, people forget, new staff arrive, technologies progress and for the IT department that means a continual approach to IT security that blends constant vigilance with systems that meet the demands of the user community in a secure and transparent way.
Adam Jaques is Senior Director of Corporate Marketing at Pulse Secure.
Follow Adam on Twitter @adamjaques