My approach to keeping the web security of any enterprise up to an appropriate security level is to consider it akin to herding cats. In this scenario, the cats are my enterprise people: the employees, the consultants and the suppliers. I might think I have a good idea about their general web behaviour, but I can guarantee I will not be able to accurately predict their exact actions.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
If I were to block a webmail service from the main network of a company and tell users what they should use instead, I would hope employees would do as advised. The reality, however, is that:
- Some employees will follow the rules.
- Some employees will navigate the rules. For example, they might use an alternative, more exotic webmail service that was not blocked (and is probably even less secure) – or simply jump off the network on to a public internet connection – perhaps even using their own device.
- Some employees will ignore the rules and find a way to bypass the security.
Therefore the main web security challenge is how to “herd the cats” and ensure employees follow recommended security procedures. I would recommend organisations take the following approach:
- Respond to employee needs.
- Provide a secure environment.
- Track corporate technology use.
Respond to employee needs
If you have not heard of shadow IT, or of the term “employee-led cloud adoption”, it is where your personnel go and find their own technology solutions without engaging or using the right enterprise security or enterprise configuration processes. That can lead to all kinds of potential operational risks.
For example, when the US Democratic Party email got hacked, it was not the official servers that were the vulnerability. It was the personal and unofficial webmail accounts that were the source of most damage.
So what are the reasons that employees or other people go rogue and adopt something unsanctioned? This is usually because they have not been provided with the technology they require for their job function by their company.
Security professionals should always ensure they understand and adapt to the rapidly evolving technology demands of users, setting up processes to receive requests for new technology then taking the time to rapidly evaluate and respond to those requests. Each request for technology must have an effective response, otherwise they are likely to simply use the internet to find something that does work.
Does that sound time consuming? It is initially. However, after a short time, the security and technology department becomes more efficient and responsive, and employees have less reason to go rogue.
Provide a secure environment
Bad Rabbit was one of the latest instances of the never-ending gift that is malware. This time, many of the infections were due to people simply visiting websites that had themselves been compromised with a fake flash update file. This was a drive-by attack. A vulnerable device could be infected simply by visiting a uniform resource locator (URL) that might have been previously safe.
While some organisations were still scrambling to enhance their defences, an increasing number of organisations were not worried at all because they were:
- Taking a regular and automatic backup (copy) of any information of value.
- Identifying and blocking the infection with anti-malware solutions in place (especially with those anti-malware products which use forms of artificial intelligence).
- If devices were securely configured, with no administrative privileges, the infection would not be able to fully install or spread.
In 2017, the reality is that you can take a few effective steps to ensure that there is almost no risk from general surfing of the internet. There are processes and technologies that can enable blacklisting (blocking sites), whitelisting (allowing only certain sites to be visited) and even subscription services that can help verify each and every URL request. These can be useful, but when all is said and done, it is better to know that if you hit a compromised site, your employee and their device will still be safe… Or in the worst case scenario, will be easy to restore and recover.
The internet is a big place. It is hard to predict what people might do and where they might go. By having the right security already in place, the chances of employee web surfing practices causing a problem can be reduced to an acceptable level.
Track corporate technology use
Hands up if you have one or more mobile devices. Keep them up if you have ever used them for work purposes. The fact is we do not do everything on desktop PCs or inside the corporate network anymore. Often, information of very high value to enterprises has been unexpectedly found in public internet services.
Training everyone who handles any information of value to think carefully about where they allow it to go is a positive, proactive step. Data loss prevention (DLP) software can also be useful to help identify or block information from oozing out where you don’t want it to.
However, there are also instances where information can be uniquely created in an insecure location, such as the cloud. For example, an employee with privileged company performance information could create a presentation for a shareholder meeting in a public folder or a presentation service like Prezi before it is announced to the stock market. This information could be leaked early due to its insecure creation location.
The good news is that there are also now plenty of services that will help automatically trawl the internet to help find any rogue corporate or enterprise information out there. Reminding employees of this in staff security training will help them think carefully before storing data in any potentially vulnerable online locations.
This is not an exhaustive list of all web security concerns – there are millions of potential vulnerabilities out there on the internet. However, it should demonstrate that the best defence is being prepared. Some key points to remember are:
- Educate your users about effective security.
- Monitor and track your information of value.
- Configure your devices securely.
- Use effective anti-malware.
- Proactively process and deliver new technologies to the staff that request them.
- Monitor the web for any rogue enterprise information that needs to be controlled.
The web is not a secure place to visit without the right protection in place. However, with effective employee education and corporate security measures, the “cats” can be herded and cyber security risks can be significantly reduced.