The average person today has become profoundly more technical, utilising a variety of devices, technologies and cloud solutions in their daily lives. Whether a person is backing up photos to iCloud or logging into social media from an iPad or smartphone, the average security perimeter of an individual has moved far beyond email address, laptops and a favourite website. As it continues to evolve, it is becoming more fragmented and fluid.
When using a mobile device or a digital-service outside of work, a person's attitude and risk awareness is generally quite lax due to the relationship exchange in that scenario. An individual would exchange access to services in return for basic information and email addresses. However, when that same individual sets foot inside the workplace, the availability and continued integration of technology means that he or she may still behave the same way, willing to exchange basic corporate information in "return" for access to content or services. This could lead to cutting corners and in some instances acting before thinking.
Perimeter has moved, attack surface enlarged
Traditional cyber security practices, largely based around firewalls and separate physical locations of datacentres, were designed to reduce the attack surface and minimise the variety of areas a hacker could get access to, if an organisation's network was breached. In principle, this approach is still relevant today, however increasingly sophisticated cyber-attacks mean that the alternative approaches have to be adopted to reduce and resolve threats. The proliferation of devices on an organisations network, means that the once relied upon firewall is no longer the outside perimeter of an organisation.
The migration to cloud-based services combined with a variety of devices to enable employees to access information instantly, is a fantastic technological achievement, however this expansion of end-points also impacts security posture and vulnerability. A person can feel very comfortable operating in the cloud and through multiple devices at home. However, the attitude and behaviour towards interacting with technology in the workplace should be markedly different, more calculated and less sporadic that than outside the workplace.
Compliance and education
A common misconception that we continue to see across organisations is focused around each employee's overall contribution and behavioural impact to the wider security of an organisation, enterprise or public sector body. Simple daily tasks and attitudes towards communication can be crucial in the fight against cybercrime and actually determine the outcome of an attempted hack. The employee in many instances is the front line of cyber defence, not limited to personal email or phishing hacking attempts, but actually how they interact with digital services as an employee.
The cloud is effectively a policy free zone, operating outside the remit of a traditional organisation's security policy. Cloud service providers such as Microsoft Azure of Amazon Web Services certainly operate under policy and security compliance procedures. However, complexity begins to rise when considering connected databases - providing access and storage for sensitive internal data.
This moves activity beyond corporate compliance and highlights the need for regulatory evolution, as well as ensuring education plays a key part in the compliance message given to employees. Education of the workforce is a fundamental defence for an organisation against cyber threats, as on average more than half of organisations attribute a security incident or data breach to a malicious or negligent employee.
Are we moving towards a zero-trust society?
Today employees are truly reaping the benefits of an interconnected and cross device working environment, meaning they can get jobs done efficiently because they have access to the services and content they need, whenever they need it. This in turn, opens up a variety of potential hacking routes, increases the attack surface and blurs lines between corporate policy and individual responsibility.
However, the concept of a zero-trust working environment - where access is profoundly limited, with requests needing to be made to access any content or service every time would become a total hindrance. So, this raises the question, are we heading towards a Snapchat reality with enterprise services, where access is given to individuals for a set period of time only, then a fresh request will need to be made?
I believe that the right combination of education and compliance combined with an effective security partner and internal team can mean operations and working norms do not need to stray to extreme measures to safeguard an organisations IP and assets. Instead, an intelligent and corporate-led employee education programme combined with expert security partners is capable of creating a powerful remedy to reduce an organisations security fears in an increasingly digital world.