The classic approach to secure a company is to secure its assets against all attack vectors: laptops, workstations, servers, storage entities and programmes.
The standard attack methods are usually:
- infections through files carried on USB sticks, memory cards, mobile hard drives, downloaded files
- network attacks (spoofing, DOS)
- vulnerabilities that get exploited in common software
In recent years, it is no longer enough to just protect these assets. Whilst it remains mandatory to continue to protect them, we have seen that the most vulnerable elements in the enterprise are actually the employees. They are attacked using:
- drive-by downloads in order to become infected with malicious software
- phishing websites in order to steal identity and financial information
- spam and phishing emails in order to lose money and other personal information
- fuzzy privacy agreements that don’t limit the amount of information shared
But this is not all, because employees also have a private life. In his private life, which increasingly becomes more difficult to separate from the professional life, the employee uses technologies, services and devices which he brings into the enterprise.
The extensive adoption of third-party file synchronization services, like Dropbox , Skydrive, Box, Drive and many others, make it easier than ever before to get data in and out of the enterprise. Employees are using these services for private and business purposes, despite their fundamental security issues – they transfer data from company servers to personal accounts in third party storage services in the cloud which, as a matter of usability, get synchronised automatically to privately owned devices like smartphones and laptops.
The BYOD phenomenon brought an entire chain of security policy changes which tried but didn’t succeed, to solve the problem. Software and hardware that enforce these policies are just too expensive to purchase, too complex to be set up and too hard to maintain.
So, the most critical attack vector for an enterprise is the human element.
How can this be stopped?
It can’t… unless we enter a path which doesn’t end well for the enterprise.
Employees can be forced to stop using any service and device, banned from installing any apps or software on business devices using various policies enforced in many ways. But, at the end of the day, if someone wants to do something, they will always find a way. So, my opinion is that nobody should even try to control this through policy. The better way, which is also cheaper and more reliable to enforce and control, is to protect and educate employees. Again, protecting the assets of the company should be an ongoing process.
Protecting employees means protecting their online identity as well as protecting their devices.
This is the reason why Avira decided to license its software not to devices, but to users so that they can protect all their devices. Using a single license for a user, somebody can protect their personal devices whether they are running Windows, MacOSX, Android or iOS.
Education of users in enterprises can be managed in the same way as for consumers. In the end, it is the same person who works in two different environments. The same advice applies to both environments:
– don’t click on links received via email or instant messaging
– don’t buy from spams,
– don’t execute binaries received via email or downloaded from websites with a suspicious reputation.
– don’t plug in just any memory stick you find
– don’t deactivate your antivirus
– keep your software up to date
Of course, education has additional facets when we are talking about enterprises. But, in my opinion, there is nothing which common sense and education can’t solve. I mean, is it really necessary to specify that surfing on adult websites at work is forbidden? I don’t think so.
What about Compliance?
“Compliance” is a loved word in enterprises. Compliance is realised through policies, and policies are there to be broken. In the long term there is no way for an enterprise to obtain a 100% guarantee that through an extensive use of policies, a safe environment is achieved. Safe environment means not only free from malicious software and malicious URLs, but also an environment that is acting within agreed policies. Additionally, there is also the incertitude related to the internal risks – employees that steal internal confidential information.
WIIFM – What’s in it for me?
Since there is no way to gaurantee results, the only chance that enterprises have is to trust and empower their employees. This can only happen if employees know the risks and know how to react on them. So, the solution remains to educate the employees and, additionally, to motivate them to act responsibly. The easiest way to motivate them is to make them aware of the fact that the risks they expose the enterprise to are actually their risks as well. This can be achieved through education. I described above some basic notions which are self-explanatory. If employees understand and become aware of the risks and the dangers, they will learn something from which they can benefit personally. In my opinion, this approach is much better than forcing employees to sign contracts that would only make the C-level of the enterprise feel better.
Are businesses ready to go this way?
The answer to this question depends on which businesses we are talking about. If we are talking about small micro businesses, then they have no choice but to trust and empower their employees. They lack the resources to enforce anything or to offer their employees an alternative for their favorite devices. The most they can do is to help their employees to help themselves.
Large companies still have some work to do here. They have been working in the same way for the last 25 years. Such a life long process can only be obtained by minimising the complexity of running the operations. They know that similarity reduces complexity. From this point of view, embracing BYOD doesn’t seem to be part of their plan any time soon.
But, in the long term, I think they will realise they are paying too much simply to reduce complexity.
© Copyright 2014 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity
Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch