Most employees are under heavy time pressure. Most have too much to do and too little time to accomplish it. Placing additional security, data protection and computer-related duties on their shoulders only magnifies workday stress – and that leads to mistakes.
“People under stress will make mistakes, and that can leave the back door wide open to cyber criminals,” says Marty Ward, Vice President of Product Marketing for End User Security and Cloud Solutions at Sophos. “Employees shouldn’t have to care about whether their emails are encrypted or their data is secure.”
THE WEAKEST LINK -- PEOPLE
The Verizon 2016 Data Breach Investigations Report (DBIR) backs up Ward’s sentiments. It finds humans to be the weakest link in the vast majority of data breach incidents. Whether through phishing, improper disposal of information, misconfiguration of systems or lost devices, human error is at the root of most incursions.
The bad guys know this and they grow more sophisticated with each passing day. The study discovered that cyber criminals now lure more victims by crafting customized spam using regional vernacular, brands and payment methods. Ransomware cleverly disguised as authentic email notifications, complete with counterfeit logos, is even more believable and therefore more financially rewarding to the criminal. These scam emails impersonate local postal companies, tax and law enforcement agencies and utility firms, often including phony shipping notices, refunds, speeding tickets and electricity bills.
PASSING THE SECURITY BUCK TO THE CLOUD
The situation is worsened by the fact that many attempt to pass the security buck to the cloud. With cloud-based services being so pervasive in the enterprise, a dangerous misconception has emerged.
“Employees and even IT staff often assume incorrectly that their cloud provider has taken care of all their security needs,” says Ward.
“Many of these providers offer excellent security within their own infrastructure. But that doesn’t mean user data is fully protected.”
He uses the analogy of someone keeping money in a safe inside a house protected by a state-of the-art home security system. Once that person walks outside the front door, the money in his or her pocket is no longer protected.
It’s the same with cloud security. Data may be encrypted, firewalled and malware-free when it is inside the service provider’s infrastructure. But when data is being transmitted to and from the cloud, it is at risk. Hackers know this and prey upon it.
AUTOMATED SECURITY: TAKING HUMAN RISK OUT OF THE EQUATION
Some companies leave it up to employees to encrypt sensitive emails or set security policies for their own data. All it takes is one slip and the entire network can be compromised.
“What it requires is an integrated approach to security with automated policies set at the company level,” says Ward. “It is possible to encrypt all data automatically whether it is at rest or in transit. You also need to set policy on what users can and can’t do and where they can and can’t go.”
THE FOUR KEY AREAS FOR IT TO ADDRESS
Ward identifies four key areas that IT security must address: data, devices, network and applications. Comprehensive enterprise security must be synchronized across each of these four zones.
User data must be encrypted at all times without the user even having to be aware of it. The security perimeter must extend to every server, laptop, tablet or phone – and to every nook and cranny of the network. Applications, too, must come in for special protection. According to the Verizon DBIR, web and cloud application attacks were responsible for the bulk of data disclosure incidents.
BUSTING THE ENTERPRISE RESPONSIBILITY MISCONCEPTION
With more and more functions being offloaded to the cloud, it is easy for vital security functions to fall between the cracks. End users believe that the IT department has everything under control and IT thinks the cloud provider has taken care of it.
“IT departments need to wake up to the fact that it is their responsibility to secure data being sent to the cloud,” says Ward. “Do your homework, know what level of protection cloud providers offer and make sure there are no gaps for cyber criminals to exploit.”
Ward cautions that there is no point product or silver bullet to ensure your data is fully protected and the enterprise stays incursion-free. It takes an integrated and automated system that protects data regardless of the device, application or network location.
“As the network perimeter continues to expand, automation is essential if security is to scale effectively,” says Ward.