Attack surfaces left wide open by your employees is a growing pain in the backside for organizations. Whether it’s social engineering, deliberate data theft, or lack of IT security training — employees are often the starting point of data security troubles anytime. As enterprises adopt newer technologies, the number of applications any employee uses in an average day is increasing. Not only you know this. So do the criminals who want to attack your systems, and they are using newer and more sophisticated tools to accomplish their goals.
Almost every bit of information your employees need, any update they need to log, and any communication they must send out is done via one application or the other application. This means that enterprises just can’t ignore the “people” aspect as they continue rollicking along the technology highway.
In this guide, we will cover some of the key IT security risks that enterprises need to address, keeping their employees at the center of the solution.
Risks to unsecured personal devices
BYOD strategies have delivered tremendous leverage to enterprises, not only to let their employees connect from anywhere and seamlessly continue their work from locations outside the company’s network but also to reduce the in-house device procurement costs. On the flipside, enterprises can’t totally control how their employees work with their devices, and what kind of security violation risks their practices can lead to.
As BYOD expands throughout 2018, enterprises will need to invest in practices, processes, tools, and methodologies that help them secure all kind of devices, BYOD included.
- Implement a comprehensive BYOD policy that includes Mobile Data Management, which essentially gives your enterprise control over every mobile device that accesses your network, along with the option to restrict access, and even delete data if necessary.
- Provide Identity Access Management solution to your employees, with multifactor authentication to make sure any unauthorized access is prevented.
- Help employees manage application and device settings to maintain data integrity and security.
- Use strong passwords, data encryption, application control policies, and secure Internet to eliminate threats.
The wearables risk
IoT devices are already performing superb functions in enterprises, right from making predictive analytics useful for preventive maintenance of assembly line equipment to generating real-time information about location and state of shipped materials. Wearable devices can help employees get real-time updates from colleagues, get super-quick answers to process related queries, and perform their work in a more productive and enjoyable manner.
Though the applications are mind-blowing, so are the security risks. IoT, for instance, will create so many endpoints in even a midsized enterprise that its threat-surface area will grow exponentially. It will also involve wearable technologies and devices that employees will use in and out of the company’s network. Also, the nature of this data will be a continuous streaming type, unlike the batched data flows that traditional IT systems work around. With so many nodes and endpoints to target, cyberattackers have more opportunities to invade an enterprise’s network and execute their nefarious plans.
To address these challenges, at least from a wearable technology point of view, you need to create super-strong and stringent wearable use policies and processes. Plus, because of the risk of employees making mistakes and trying to bypass the process, wearable technology endpoints will need very specific security upkeep.
Outdated security training programs
Almost every organization depends on internal IT security training and mandatory courses for employees. Mostly, these courses are delivered online and require the employee to sit through a session of on-screen advice, generally followed by an evaluation. Also, the frequency of such training and courses is at best quarterly and more generally done only once a year. Unfortunately, this approach, as well as the relevance and quality of content in general IT security training, are not going to deliver many benefits in 2018.
This year will bring in new IT security challenges of the sorts enterprises have not quite faced earlier. Take IoT for instance. Ask yourself — does my security training help my employees differentiate between acceptable and risky operational practices while working with wearables? This is just one example to illustrate how enterprise internal IT security training and courseware need to be upgraded. The focus needs to move from basic computer and email security to addressing the challenges that latest enterprise technologies like IoT, BYOD, and hybrid cloud bring.
Detecting employee behavioral problems
Human beings are creatures of habit; your employees come to the office at the same time, perform almost the same tasks daily, and work with the same technologies (and the same frustrations) daily. To make their work faster, it’s natural for them to cut corners, such as sharing passwords when their own access seems blocked (often out of the blue). Deep analytics can help companies monitor the way employees interact with technologies, and can quickly crunch the numbers to report potential risky practices and clear policy violations. This allows your enterprise to optimize training resources, deliver one to one training, and make application workflows more secure.
Know your people
Often, enhancing employees’ IT security readiness becomes a function of purely identifying high-risk cases, and addressing them. To this effect, here are three practices you can implement:
- For all your IT systems that are integrated with vendor and customer systems with shared access, limit the rights of the external users to the bare minimum, with clear workflows for them to get special access (citing valid justifications).
- For all your employees who’re serving their notice periods, the prospects of taking away some data often become too good to ignore; these are the cases where you need to keep a stronger watch.
- Monitor the tech engagement of employees with special accesses, and pseudo admin access privileges.
The IT security landscaping is changing, as it always has. Enterprises can’t afford to stick to their current stack of technologies; they need to grow, and in doing so, also ensure that their employees grow along.
Photo credit: Shutterstock