Striking the balance between employee productivity and data security
Posted by Andrew Moore, Director, DAV Management.
There has been a definite increase in threats from data security breaches in recent times. It seems that hardly a day goes by without a headline proclaiming some sort of cyber attack. Last year we saw a major breach at mobile service provider, Three and much talk of state sponsored hacking in relation to the US presidential election. More recently, organisations across the globe were hit by the WannaCry ransomware attack and before that, it was revealed that as many as one billion Yahoo user accounts have been affected in a hacking attack that dates back over three years. Typically, the perpetrators of these crimes remain hidden, leaving most of us to wonder how such an incursion can be achieved, given the scale of investment those organisations affected will have made in cyber-security.
The bad news is that the threat of data security breaches looks set to get worse. The Internet of Things (IoT), with its seemingly insecure network access points and the explosion of mobile devices that connect so readily to the networks we depend on in our private and work lives, provide opportunities for the unscrupulous to hack into sensitive and private data. It seems that even the cameras and voice recorders on our mobile devices can be turned against us – hi-jacked by malware introduced unwittingly to ‘spy’ on meetings and conversations. Ian Fleming would have had a field day with such a prospect.
Hackers themselves are changing tack. Instead of spending long hours trying to crack the security surrounding a corporate network, how much easier to simply dupe an employee into giving you their trusted login details – as was suspected in the Three breach mentioned above.
Back in the day it all seemed so much simpler. When people talked about ‘connected devices’, they were referring to desktop computers or terminals, which were connected to internal networks or remotely by private networks. System administrators had complete control over who could access what and everything else was safely managed in secure data centres. Nowadays, the growth of remote workers and flexible working patterns has changed all of this, resulting in a mobile revolution. And with it has come an explosion in threat levels.
In today’s workplace, there is very much a culture of BYOD (bring your own device) with employees encouraged to use the software and tools that they feel most comfortable with. This combined with the use of collaborative working tools like Dropbox, Evernote, OneDrive and Google Docs has created something of an ‘alternative’ IT structure, where the boundaries between personal and business use are blurred and network communications are facilitated by devices designed to make this as quick and easy as possible. What’s more, these technologies engender a sense of collaboration and efficiency amongst users and this promotes a belief that they are actually working in the best interests of their employer. In most cases this is probably true, which is just as well since the underlying technology is now embedded in the developed world’s work/life culture.
But this presents organisations with a real paradox, particularly major corporates that have large numbers of users and huge amounts of sensitive data. On the one hand, organisations want to maximise employee performance and increase productivity, innovation and collaboration, all of which are enabled and, indeed, enhanced by mobile technology. On the other, many mobile apps don’t meet corporate standards for data protection and encryption. These apps can also consume large amounts of bandwidth from corporate networks and, as a consequence, can have a significant impact on performance as well as cost.
All this presents a real challenge to organisations already under pressure to reduce the spiralling costs of cyber-security and there is a growing sense that to further empower the productivity of employees and teams through the use of mobile technology, whilst protecting sensitive data, will require the adoption of new strategies for cyber security.
Of course, this is easier said than done, users are now ‘connected’ to their mobile devices via lifestyle choices. Millennials and younger generations are ‘natives’ to this technology and it is questionable whether this bond can ever be broken. Resistance to the introduction of restrictions around devices will no doubt be strong but the balance must be struck in order to achieve a successful and secure working environment.
It’s important to get the basics right and a scan of the industry media indicates a growing consensus on the must haves: clear policies on device usage and security, a proactively promoted culture of security, and regular awareness training. These factors need to be implemented company-wide but are particularly important for so called privileged users, who, as indicated earlier, are arguably now more at risk of being targeted by the cyber-criminal fraternity.
Organisations can and should make better use of existing technology and procedures such as multi-factor authentication, or 2FA, which requires not only a password and username but also something that only that user has access to, such as smart keypad. Admittedly, this technology has been around for some time and may sound relatively unsophisticated but simplest is often best.
Companies should also begin to encourage the adoption of compliant technology. I read in a recent report that a number of large US based financial service organisations have begun to provide their employees with corporate issued smartphones. By doing this, these organisations were able to provide a user experience to all of their employees similar to that enjoyed when using their personal devices, thereby encouraging uptake, whilst ensuring appropriate levels of security. The report concluded that in such circumstances fewer employees were using personal devices for business. At the extreme end of the scale there is a growing school of thought that suggests the entire security model should be rethought. For example, in this article on The Register, it is suggested that the answer is to put less focus on preventing unauthorised access and more on monitoring what’s actually going on within the network. This postulates on the development of automated security where machines look after themselves. Whilst fans of the Terminator movies may equate this to Skynet, the developments currently happening in artificial intelligence technology make it all the more plausible in the near future.
As the report indicates, the mind-set must be to assume that your data will be hacked and stolen at some point. It argues that, rather than spending incrementally more to prevent unauthorised entry, organisations need to begin developing strategies that work from the inside out to nullify the threat, or design solutions that make stolen data useless. Today, it is more a question of not if, but when an attack will come, therefore organisations must be armed with intelligence that allows them to get to the root cause of the attack and deal with it quickly. In addition to this, if organisations can develop the capability to prioritise, they can remediate the most dangerous threats first. Achieving this kind of step change would certainly help strike the balance between increased mobile app usage and data security.
It is a constant battle between the good guys and the bad, each seemingly leapfrogging the other. The bad guys can also sometimes be entire countries and state sponsored hacking is a clear and present threat, taxing the minds of many governments. The UK is already planning to spend £1.9bn on cyber security in the face of what Philip Hammond described as a ‘sovereign threat to the UK’s cyber space’.
Cyber-security is a strategic issue that all organisations must face up to as the threats and consequences of data theft increase in proportion to the rewards enjoyed by the perpetrators. Whatever strategy you adopt be prepared to play a long game. Until network security can indeed look after itself, it will be necessary to constantly adapt and change to protect your sensitive and valuable data and the fortunes of your business.