Is your IT security in the shadows? Stop enforcing and start enabling!
It has been a while since my last post. I have been seeing far too many clients affected by ransomware attacks but slowly, we are helping them turn the corner with improved security environments to protect their data.
During these client meetings I spend a lot of time observing, listening and reading between the lines and some common building blocks are appearing. Whilst many of these blocks are known, the cause and effect of combining blocks A+B+C are often not understood or more alarmingly ignored.
One of my buzz phrases when talking to clients is "How do you consume your IT?". That's easy to answer isn't it? We give a user a PC with approved apps and that is what they are permitted to use! Right? What about BYOD, CYOD or a shadow variant of these? We can containerise, use VDI products or just ban the use of such devices. Problem solved right?
Lets look at the reality
HANDS UP, WHO USES DROP BOX!
Our workforce in the last five years has become very aware of productivity tools and apps that they can select manage and maintain. This is been a rapid change thanks to the "App Store" revolution which gives a wealth of flexibility to users which, when their corporate security is locked down, they simply deploy on their own personal devices which they believe is for the benefit of their job.
The problem is this opens up a nightmare scenario for IT security teams that much of the data we seek to protect is now stored on insecure devices outside of IT security's control and outside of the data owner’s legal control.
Now ponder the thought,
if an employee processes that data on behalf of the data owner, is the data owner now liable for how that data is processed on that machine? Further ponder, is the data owner now liable for any other data processing done on that machine?
OK, so this will never happen to you??? Are you considering cloud computing? Office 365? Maybe you have already opened this problem by a deliberate corporate decision.
Why should I be concerned?
We focus much of our attention on protecting our equipment and networks with justification but often without considering:-
- What data we are truly protecting?
- How that data can exit your organisation?
- What the impact would be of a data security breach from data stored on a non-corporate device or environment?
I hate the URL filter as it stops me seeing websites I need for my job. I use my personal mobile instead.
Take a walk around your offices today. How many personal phones, tablets and computers do you see and how many of them are used for work purposes and consider the impact. Do you know for certain what is being used?
What should I do?
We need to consider a change of risk culture. Our internal networks have more and more become environments where we are trying to eliminate technical risk. Whilst we should continue to enhance these robust controls we must also consider.
- How do we monitor and control our "official" cloud environments?
- Do we ban none approved devices?
- Do we support our staff and provided them with security layers that they can elect to use on their own devices whilst retaining control?
On a practical front we can
- Employ data classification tools
- Provide security tools for our employees to deploy on their own devices
- Support our employees
- Educate continually
- Assess constantly
But what is critical is
- Think about risk management holistically
- Talk to a security professional about a perpetual security improvement product to capture your real use of IT and manage the risk.
Cyber Security Programme Manager