With a survey finding 80% of respondents admitting to engaging in at least one risky activity which could risk their organization’s cybersecurity over the past year, Joseph Carson, Chief Security Scientist and Advisory CISO, ThycoticCentrify, tells us we must make security usable and help the employee be successful.
The massive shift to remote or hybrid working since 2020 means protecting cloud services, cloud access, remote endpoints and data in transit has become just as important as safeguarding an organization’s network perimeters.
Endpoints are no longer only the devices people use, they’re also the applications which are now hosted anywhere and everywhere. This highlights that traditional on-premise network security solutions are not sufficient in protecting endpoints or remote users and that the new security perimeter is with identities and privileged access.
As a consequence, users now need a multitude of credentials and authentication methods to be able to access applications, many of which no longer sit behind the organization’s firewall. That’s why solutions like single sign-on and privilege-based access security have come to the forefront. They help manage the complexities of authentication and authorization without being a burden to users.
In this context, the results of a global survey commissioned by ThycoticCentrify – with over 2500 knowledge workers from organizations in the Asia Pacific region responding – make for concerning reading. The survey found that around four out of five respondents have engaged in at least one risky activity which could put their organization’s digital security at risk over the past year (Australia/NZ 83%, Singapore/Malaysia 81%, India 90%, Japan 67%). This included:
- 35% who saved passwords in their browser
(Australia/NZ 43%, Singapore/Malaysia 36%, India 39%, Japan 28%)
- 32% who used one password to access multiple sites
(Australia/NZ 42%, Singapore/Malaysia 37%, India 33%, Japan 24%), and
- 23% who connected a personal device to the corporate network
(Australia/NZ 25%, Singapore/Malaysia 29%, India 36%, Japan 13%).
Comprehensive and continuous risk assessment
In dealing with this risk landscape, a classic mistake has been to approach cybersecurity from the standpoint of individual endpoints. A better approach is to begin with a comprehensive and continuous risk assessment of the data and applications with which they are accessed. That’s actually what cybersecurity is designed to protect. Our job is to help reduce the risk to the organization’s business and help employees be successful.
There is another element which is often overlooked: employee education in cybersecurity issues. Educating users remains valuable, although human defenses can never be the whole story in a risk-based cybersecurity strategy. After all, it is exactly what cybersecurity teams have been trying to do with varying degrees of success for 20 or 30 years.
Looking at the survey data, just 44% of respondents received cybersecurity training in the past year (Australia/NZ 43%, Singapore/Malaysia 54%, India 64%, Japan 37%). This meant that more than half of the employees surveyed were left to cope alone with the fearsome threat landscape created by home working. Smaller organizations were the least likely to have given their staff cybersecurity training over the past year.
That doesn’t mean we should stop trying. Cyber-awareness training must evolve into awareness, behavior and culture that is a long term continuous cyber-education strategy. We still want better educated users to be able to identify risks and report them, even if they can’t always prevent incidents. The more people you have on the front line that are able to report risks, the earlier you will know about them and the better you will be at reducing them or preventing them from turning into cyber-catastrophes.
Background security controls
At the same time, we want to make sure that when users click on the wrong link, for example, the security controls in the background will detect potential risks. They should bring important information to the foreground that users need and report the incident for additional checks. The more we move security to the background, where we make security work automatically and seamlessly, the better it is for the user and the organization. We must make security usable and help the employee be successful.
It is not just enterprise users who connect to networks and introduce risk to an organization’s systems and data integrity. Today many thousands of devices connect through a network: the Internet of Things (IoT) exists to a greater degree than many people imagine. Ensuring that machine security and identity is part of the risk assessment is now a critical part of cybersecurity practice.
Take, for example, an IoT network in which one device might drop off the radar then reappear a few hours later. In an intelligent, adaptive cybersecurity framework, such an event should raise a red flag until such a time as the reasons for the outage can be determined.
Aside from IoT devices and cloud applications’ redefinition as endpoints that need cybersecurity consideration, 2020 and 2021 have writ large the issue of bring your own device or BYOD. Or perhaps that should be bring your own disaster or even, soon, bring your own office!
Introducing Endpoint Privilege Management
Many millions of words have been written about the different ways in which organizations can help their users demarcate between work and personal applications and/or workloads on their laptops, smartphones and other devices. However, the new normal demands a more finely tuned approach, something we call Endpoint Privilege Management.
To access my work email, it might be perfectly fine to authenticate with a username, password and multi-factor authentication. But if I want to access customer data, that level of security control is not satisfactory. I can’t just move across and use the same security controls to access sensitive data. We refer to that as ‘leveling up’, in the sense that you must satisfy more stringent security controls. These additional security controls can be quite granular and context specific. For example, when I tried to access sensitive company information on a business trip in another country – you may remember those – I got a notification from my team. That’s because our automated systems had flagged my behavior as anomalous against the company’s policies.
Even though the technology used in situations like this is extremely sophisticated under the hood, for the user simplicity is vital. One of my mentors told me many years ago that security should be like a light bulb or electricity. You hit the switch, and you don’t need to know the complexity in the background, it just works for you.