This post first appeared on Risk Management Magazine. Read the original article.
In today’s connected, cloud-based computing environment, you
often hear that security is part of everyone’s job. Unfortunately, not all
parts of all jobs can be entirely secure—particularly when operational policy
and security solutions are directly at odds.
In these circumstances, companies have to accept risky
activity that they might otherwise prohibit. Employees are all aware—or should
be—that opening attachments from outsiders poses a potential threat to the
corporate network. Major breaches have resulted from phishing attacks in which
employees thoughtlessly clicked on an attachment or link. This can happen even
when attachments come from a trusted source, who could be sending a file that
has been compromised with or without their knowledge.
Yet some employees have no choice but to open attachments
from outsiders. Human resources professionals, for example, routinely open
prospective employees’ resumes when looking for new hires. Financial managers
review spreadsheets from outside organizations while negotiating deals. What
choice do they have but to click on an email, or open the file? Their job
function demands it.
Security Solves Some Problems and Exacerbates Others
Companies have implemented many different mitigation
strategies to quell the risks of opening malicious documents, often
inadvertently impacting employee efficiency as a result. Tools like antivirus
software and sandboxes have been used to try to protect businesses from
malware-laden documents. Companies have implemented security awareness training
to teach employees to identify attacks before they can cause problems. And yet,
they do not make allowances for employees when these strategies impact job
function efficiency. In turn, organizations find themselves frustrated by the
workarounds employees ultimately feel they need to use.
Employees should not have to choose between doing their jobs
or allowing malicious content into their organization’s network. Relying on
employees to stop incoming breaches not only prevents them from operating at
maximum efficiency, it also puts organizations at the whims of human error.
Even if 99% of an organization’s users take every precaution, a 1% miss rate
leads to a guaranteed chance of infection—which means 100% of these users will
have misallocated time and resources on an ineffective security policy.
Fear of the Unknown Obscures Answers
Security practitioners are aware these threats exist, but
too often their knowledge ends there. A recent Ponemon Institute survey found
that IT security professionals’ biggest concerns are unknown threats, which
continue to rise as exploits of known vulnerabilities fall. However, the traditional
security measures are clunky and inhibit productivity in the current
landscape—and more than half of respondents say their endpoint security
solutions are ineffective at detecting attacks. Rather than pulling out safe
elements of a file, these solutions pinpoint the file’s malicious aspects
instead. This can fall short when new malicious activity enters the cyber
ecosystem faster than the security tools meant to combat attacks.
Antivirus tools, which are designed to counter known threats
through signature-based threat identification, cannot keep pace in a
fast-moving cloud environment rife with mobile access, third-party software,
storage services like Dropbox, and a variety of collaboration platforms like
Slack and Zoom. All of these can introduce threats. Background processes
increase latency, causing machine slowdown and affecting user productivity.
These tools block files unnecessarily, and users may still open flagged files
accidentally. Ponemon’s survey also found that antivirus tools missed 60% of
attacks on average, while producing a high volume of false positives.
Next-generation antivirus software takes a proactive
approach and adds tools such as artificial intelligence, but also produces a
high rate of false positives, which can disrupt business processes and waste
users’ time, and still looks for known vulnerabilities and anomalous behavior.
Minerva Labs found that 86% of the exploit kits that cybercriminals deploy to
attack system vulnerabilities use evasive techniques that can get around those
security solutions.
While it has been known to catch some attacks, there are
even downfalls with sandboxing, which isolates malware before it gets into a
production environment. Large files can cause bottlenecks in the sandbox,
slowing down operational workflow and reducing productivity. As a result, users
are left waiting to receive files from the sandbox. In addition, this
technology requires extensive IT resources, time and money.
Empowering the Enterprise and Employees
Security should not be about building fences to keep out bad
actors and malicious activity at the expense of the user. Instead, we should
strive to build bridges to allow safe information to travel freely within an
organization and among the partners and third parties it works with.
Organizations must figure out how to let their people work without compromising
on security. To this end, some gaps in traditional technologies can be filled
with new innovations that break down and reconstruct incoming files, removing
threats before they get to the network. Rather than identifying threats and
malware, this kind of technology seamlessly recreates files in a clean state,
maintaining the file’s usability. Implementing such a process builds trust
between management and the employees who must open documents as part of their
job function.
Beyond technology, company leadership must also implement
more holistic solutions to fill gaps and keep the workforce both secure and
efficient. No solution is one-size-fits-all, and robust programs require
various tactics to be used in tandem. As a first (and free) step, cybersecurity
experts recommend that enterprise leadership connect with IT and security teams
to audit what is working and what is not, from both a technical and a
procedural perspective. This initial step is key, because gaps cannot be
properly filled without understanding where they are.
An additional mapping exercise should focus on productivity
and increasing alignment between employees and the security team. In many
cases, employees are averse to security protocols that hamper their day-to-day
work productivity, and this may lead some to use an ecosystem of shadow IT
solutions to get around restrictive security measures.
With this in mind, it is imperative for enterprises to
develop a cybersecurity culture in which security leadership behaves as
business enablers instead of business blockers. This can be achieved through
determining and proactively altering the instances in which employees are being
blocked from doing their task because of security policy. Organizations need to
prioritize both productivity and security when developing their cybersecurity
culture. They must continue to assess employees’ attitudes toward the corporate
security policy and their ability to perform job functions.
Communicating about company security is not a one-and-done
activity. In fact, one of the best ways to address security gaps is to instill
better communication on the topic throughout the company. When executives
facilitate better communication and collaboration between IT and other
departments across an organization, they enable employees to better understand
what threats they might encounter on a daily basis and the security resources
available. In addition, opening the door directly to IT and allowing them to
engage with employees throughout the company allows employees to become much
more comfortable and knowledgeable about where to seek guidance if they
encounter suspicious activity.
However organizations choose to protect their network, leaders
and IT must accept that some job functions are not cybersecure, and that the
onus cannot be reliably placed on end users to navigate an insecure
environment. To stay ahead in the age of digital business, companies must
prioritize productivity and efficiency in concert. For enterprise leaders,
identifying a way to fold top-level security into this new landscape with
minimal impact on operations is not only critical, it will soon be unavoidable.