By leaning into the right technology and shifting away from a default ‘no’ mindset, IT teams can foster an environment of better security compliance.
As more of us are working remotely, either part time or full time, IT security confronts an ever-growing challenge – a fractal perimeter that is difficult to visualise and even more difficult to protect. How can organisations adapt to ensure their workforce understands, accepts and is ready to respond to the threats that will seek them out? This is not a scenario to fear but rather one to embrace and address.
Remote workers are, in most cases, operating in a semi-hostile network environment. Home routers have grown in sophistication, and many provide intrusion detection, content filtering and adaptive controls. While the home network generally isn’t a prime site for direct intrusion, it is a target for phishing attacks.
Naturally, workers tend to feel safer in their homes than anywhere else. This can lead to them being less cautious and less suspicious of messages than they might be in a corporate office setting. Let’s be honest: training colleagues to appropriately respond to phishing attacks while in the office is hard enough. How do we engage our remote workers to act and react in the right way?
A significant part of the challenge is the perception of the team or teams delivering the guidance. Traditionally, the job of cybersecurity professionals has primarily been to say ‘No’, driven by a lack of granularity in the controls at our disposal. This leads to a view of privilege management where we approach control by looking to limit what a privileged user can do – effectively controlling by disabling or restricting access. This constraining approach to privileged access can impact end-users, disrupting their workflows and hampering their efficiency and productivity.
When cybersecurity teams are in a position to adopt an ‘enabling’ approach, we find that our narrative to the user-base flips from ‘No’ to ‘Yes’. This helps change the perception of the cybersecurity team. No longer the team who says ‘No’ all the time, they are now the team who let me run iTunes on my laptop. Not only that, but they let me install it and update it independently, empowering me to control my workplace.
Endpoint privilege management (EPM), one of the four core pillars of privileged access management, provides the most powerful and effective way of creating this positive atmosphere that delivers both robust security and respect for end-user productivity. With EPM, you can elevate specific applications and processes with the least privilege necessary to be productive. The user’s account is untouched throughout the process; they stay a standard user. This has the added benefit that disabling EPM, were that possible, would result in access only to a standard user account – the ultimate safety net and the antithesis of the ‘manage down’ approach that dominates today.
EPM also delivers a simpler security model. Looking at the administrator account in Microsoft Windows, it’s hard to know which of the 2,500+ controls in Group Policy restrict which capabilities of that account. It’s a little like trying to restrict physical access in an office building when your floor plan is incomplete. Have you locked all the right doors, desks and filing cabinet drawers, or is there a staircase or connecting door you’ve missed? Do we have to say no to access to the nicer printer because it’s in a room with something else that’s restricted? Providing a key, or keys, that only open the necessary doors gives the user explicit access without overspill and we aren’t left trying to work out if we’ve missed anything. There may be more ‘rules’ on the access, but it is easy to see what the resulting permissions are.
Hopefully, your mind is playing back times where this kind of granular control could have allowed you (and your team) to say yes in the past.
As a cybersecurity team transitions from the ‘No’ team to the ‘Yes’ team (within reason), they are more likely to be viewed in a positive light and perceived as more approachable. This perception shift may mean end-users are more likely to stay attuned to and comply with other guidance communicated by the security team.
No one wants friction when doing their job, and cybersecurity measures frequently deliver friction. We need to ensure friction is minimal while keeping the risk introduced from any access above the standard user as low as possible. Happy users are productive users – a nice side effect of EPM.
BeyondTrust provides the leading solution for EPM, combining privilege management and application control to efficiently manage admin rights on Windows, Mac, Unix, Linux and network devices, without hindering productivity. Visit beyondtrust.com to learn more.