The expert view: Securing the connected enterprise
4 May 2017 |
"What keeps me up at night? End users," said one attendee at a recent Business Reporter breakfast briefing about the challenges of securing the connected enterprise. Whatever the technological challenges of the cloud, external attackers and recruitment, it is the people inside the organisation that seem to worry most security professionals.
As one delegate, from a major bank, put it: "The more controls we put in place, the more problems that causes for ordinary users who just want to get their work done. Unfortunately, the harder it becomes to work, the more likely they are to go to shadow IT and insecure services." Others at the briefing, which was attended by senior IT professionals from a range of sectors, agreed that it has become difficult to stop employees from using services that are not sanctioned by IT.
Dropbox, WhatsApp and even Facebook were commonly used by employees who don't see the risk they are taking. "We have a lot of new graduates coming into the business who set up a Facebook page or WhatsApp group so that they can all chat and they don't think about the information they are sharing there," said one participant.
One attendee pointed out that it can be difficult to tell employees not to use a particular service if you can’t recommend a better alternative. Often, the reason that they are using the service in question is that the business has not provided a tool that does the same task with the same efficiency.
Another added that IT departments don’t help themselves by giving conflicting advice. “We tell them not to click links in emails and then we keep emailing links to them,” he said.
Some businesses have begun to explore new ways to train staff on security. One attendee said his company was having success with a monthly cartoon that explains a common security risk using a real story. He said the approach was so successful that some people actually ask to be signed up.
Another delegate said her company had put graphics around its offices reminding people what the approved tools and services are. That had the effect of subtly reinforcing the message and making people think twice before using a shadow IT service.
These are ‘carrot’ options, encouraging people to follow good security practices, but some businesses were considering more of a ‘stick’ approach. For staff who repeatedly make security mistakes or who continually failed training exercises, one attendee said her business was considering disciplinary action. If security is a responsibility of all staff, then it seems logical to discipline them if they fail in that responsibility.
If you take such approach, warned another attendee, then you have to be willing to go through with it. The worst offenders for security breaches can often be senior executives, who can be impatient to deal with official IT rules. Are you willing to discipline them along with more junior members of staff? The result could be embarrassing.
Andrew Edison, of Level 3, the company that sponsored the briefing, said that his business was seeing more and more companies that want to adopt cloud services so that they can
become more agile but were concerned about potential new security issues that this could open up.
In some cases, one attendee said, this is not a process instigated by IT. “The business units are running headlong into cloud, while CIOs and CISOs chase after them trying to urge caution,” the attendee, from an international advertising firm, said. Another attendee added: “The vendors will approach the business and tell them that their competitors are using the service and so they could get left behind if they don’t do the same.”
Those at the briefing were divided as to how much of a concern cloud services should be. “If I can’t see it then I can’t protect it,” said one. However, others argued that there is little difference between cloud services and ‘on-premise’ data centres, which are provided by a third party anyway. “The difference between ‘your’ data centre, which says Fujitsu over the door and one that says Amazon is probably quite negligible.”
All attendees agreed that it is getting harder to find good security staff. When you do find them, it can be even harder to keep them. Security professionals are scarce and highly sought after and so they can earn large salaries and move frequently whenever they want a new challenge. One delegate said that his firm had begun taking apprentices so that they could train their own security experts.
Ultimately, said one attendee, the fear is seeing your company on the front page of a newspaper because of a security breach. That is what every CIO wants to avoid.