How Companies Can Stop Choking on Security
How Companies Can Stop Choking on Security
The job of a CISO is harder than ever before. Read on to see what security professionals can do to upgrade their enterprise-level security protocols.
Join the DZone community and get the full member experience.Join For Free
Every week, new reports fill the online journals with instances of yet another phishing attack, Trojan or malware that has infected an enterprise. It’s enough to make you wonder why CISOs don’t buckle down and more strictly enforce cybersecurity policy. The thinking is that if stringent security policies are created and communicated, employees will follow them. But, as reported in a recent blog on Clutch, “being subject to a company’s cybersecurity policy does not guarantee that employees follow it.”
Potentially alarming in its conclusion, Clutch’s report, “Employees Use Personal Devices to Access Company Email and Shared Documents, Despite Lack of Regulations,” is forcing CISOs to consider how to reverse this seemingly intractable fate. How does a CISO get employees to act securely without forcing them to do combat with security policy? How can the challenging prospect of cybersecurity become palatable to employees?
The Challenge of the Status Quo
The problem with typical approaches to improving security is that they impede business workflow. Passwords, for example, are considered the primary form of cybersecurity for most employees. Yet, most employees take a very simple approach to password protection and only change a character or two in their password from one month to the next. Only a minority implement more complex forms of password protection such as different passwords for each account or two-factor authentication.
The reason employees don’t opt for more secure passwords and protection schemes is that these methods become challenging to implement and maintain. When employees encounter a perceived tradeoff between getting their job done and following a prescribed security practice, the majority of employees simply find a way to bypass the security policy in order to do their jobs. As a result, in organizations large and small, sensitive IP, personally identifiable information, and other highly confidential information ultimately end up floating around in documents and emails.
Additionally, focusing on password updates and authentication hides the fact that “normal” communications and document sharing leave the door open for criminals to access the entire company system. In fact, an April 2018 report from Infosec Institute noted the significant rise of business email compromises focused on executives is often the result of guessing the password by brute-force attacks. This email infiltration is then used to steal important corporate information. Yet, most employees continue to believe that important information will somehow look different than regular communications.
Changing How We Think
In the end, employers are running a rat race with cyberintruders by building ever taller walls or by instituting ever more complex password policies. Employers hope these walls will protect their important assets. However, taller IT walls are not working. What we need to accept is that criminals will always find a way to scale these layers of protection and access the cloud.
Instead, employers and their CISOs need to rethink the security paradigm and instead assume that the cloud will be attacked, and passwords will be stolen. If we take this eventuality as a given, then companies can save valuable time and money while avoiding unneeded frustration. By assuming that servers will be hacked and that passwords will be stolen, we open ourselves up to focusing on how to encrypt data so that even if the data is stolen, it cannot be used. By encrypting data with end-to-end encryption using public and private keys, only the message recipient can ever decrypt the data.
An important additional component of this paradigm shift is to ensure that there is no central point of trust. Like nuclear weapon launch protocols that require multiple approval layers, the paradigm shift in cybersecurity prevents one super-user or admin from having the keys for unfettered access to corporate data. Preventing sole ownership means that there is no way for attackers to steal the key from the super-user or admin and have access to all corporate assets. At PreVeil, we call the owners of this distributed trust “Approval Groups.”™
Approval Groups require that X out of Y people agree before a privileged activity can occur. By adopting a system of distributed trust, it becomes much more difficult for hackers to compromise central points. With this shift in thinking, we can shift the focus to how to limit the attack surface that any one attacker can access.
This philosophy towards data and email management lies behind the development of PreVeil’s secure email and drive manager. Our paradigm is that servers and email will be attacked. Consequently, we encrypt emails and files with recipients’ public keys and only allow the user to employ their private keys to decrypt the content on their personal device. This approach relies on the “possession” notion of authentication rather than the use of passwords which relies on “knowledge of the password.”
While this manner of encryption might seem complicated, its implementation is actually quite easy. With this approach, software lives seamlessly in the office environment and works on top of existing office tools. Importantly, this integration makes security easy to use as it becomes part of the general workflow.
Employees want to do the right thing. However, their actions often make them the victim of schemes which compromise their passwords or files. We instead focus on never allowing one user or one administrator to be the single point of compromise for files. Not relying on passwords means that there are no proverbial keys to the kingdom that can be stolen. Even if one user is compromised, the whole basket of apples is not overturned.
If employers want security to be used by their employees, then they have to make it easy to use. The Clutch study highlights various levels of complexity through passwords updates and limitations on the use of personal devices that make security challenging at best and unusable at worst.
Instead, security needs to get out of people's way. In fact, security should be so easy that users don’t even recognize they are using it. Some might say that the future holds such options for security.
Opinions expressed by DZone contributors are their own.