The devices (PCs, laptops, smartphones) we use to connect to our corporate IT networks are a problem. We need to keep these “endpoints” secure.
Teiss Head of Consulting and Training, Jeremy Swinfen Green, considers six ways of achieving endpoint security.
The corporate IT network is like a Swiss cheese: there are holes all over the place. This isn’t news. But the prevalence of ransomware attacks has started to concentrate people’s minds on this problem.
The problem with BYOD
“Bring your own device” is here to stay in most organisations. The days that employees would sign on to a single desktop PC to access company information, are gone. Now we typically sign on with a variety of corporate and privately owned devices. And when the devices that sign on and off the corporate IT network, are largely unknown or unmanaged, it’s hard to protect sensitive corporate information.
Of course there are ways around this problem.
Solution 1. Ban unauthorised devices
You can simply prevent all but authorised devices from connecting. That is a solution that is effective at delivering cyber security.
But at the cost of a lessening of corporate efficiency, and often employee morale as well.
Solution 2. Use endpoint security systems
Alternatively you can implement end point security systems. These can be very effective, if implemented properly. But they can be expensive and so they are not for everyone.
Set them up correctly though. And as a recent Ponemon study [registration required] showed, they are not always effective.
“Dark endpoints”, rogue, out-of-compliance, or off-network devices, create blind spots. This increases an organisation’s vulnerability to attack even when endpoint security systems are implemented. And by some counts up to 50% of endpoints could be vulnerable to attack.
Typical endpoint vulnerabilities include:
- Properly protected laptops leaving the safety of the corporate IT network and logging on via an insecure Wi-Fi connection
- Employees using personal devices that have insufficient protection and that have been compromised with malware to log on to a corporate IT network
- Supposedly safe smartphones that have been jailbroken (or rooted) by their owners and which become unsafe as a result
- Home computers networks that are insecure
- Secure personal devices that are shared with friends and family members
Many of these endpoint vulnerabilities may be “illegal” in that they go against agreed corporate policies and standards. But just because a policy has been agreed, it doesn’t mean that employees will comply with it.
So any endpoint security software solution you implement needs to be set up along with consideration of how human factors (see solution 5) impact on cyber security.
Solution 3. Protect the data with encryption
As you can’t always protect your IT network from rogue endpoints you might consider protecting the data with encryption.
You probably won’t want to protect all your data this way of course. Insisting that every last document is encrypted would be very inefficient.
But you could at least designate certain documents as being so sensitive that they need to be encrypted wherever they are stored and whenever they are transported from place to place.
Also of interest: Government versus technology and encryption
Solution 4. Restrict access to the data
An alternative, and essential, method of protecting sensitive data is to restrict access to it.
Most organisations will restrict access to some data, financial or HR files for instance. But it is often the case that many sensitive operational files - customer lists, strategic plans, new designs – remain open to far too many people.
The fewer people there are with access to a document, the fewer people who can store it on an insecure personal device.
Also of interest: Insider access causes breaches
Solution 5. Address human factors
Employees are often thought of as the weakest link in the cyber security chain.
And, through no fault of their own, they often are.
While a small minority may maliciously sabotage cyber security, most make genuine mistakes.
They don’t realise how dangerous public Wi-Fi can be. They don’t understand how to protect their home network. They don’t appreciate that their smartphone contains a great deal of sensitive data (including data about themselves) and so it needs to be secured.
And so, if you are allowing people to bring their own device to work, you need to educate them about how to use it safely; you need to keep them aware of the rules around cyber safe behaviour; and you need to ensure that the culture of your organisation motivates them to take personal responsibility for information security.
Full disclosure: we run training about this stuff.
Solution 6. Don’t forget network security
Finally, don’t forget that network security is still important. Think of it as the skin of your organisation, keeping most but no all infections out.
Strong network security won’t be 100% secure. But weak network security will inevitably mean you suffer a breach at some point.