In the not so distant past of network security, the focus on securing a business’s networking environment was dedicated to securing the perimeter. The challenge was to stay one step ahead of outside intruders trying to gain access. The prevailing logic was: if unwanted access was prevented, external risks could be mitigated. Networked assets were not considered a security high risk because they physically never left the building. But somewhere along the way, for better or worse, the definition of “work place” changed.
The introduction of laptops — the first true mobile device (even at 20 lbs.) — allowed employees to take the office home with them, working on projects during the evening or on weekends. The introduction of the public Internet allowed employees to work remotely using a home network. The introduction of hand-held mobile devices allowed employees to read and respond to business email or attend virtual meetings while travelling to and from where ever they were headed. The introduction of WIFI hotspots allowed employees to connect to the office from public locations, including airports, coffee shops, hotels, and most recently, airplanes.
These technological advances have increased efficiencies, provided a venue for virtual teams to thrive, spawned innovation, and increased productivity however, all these benefits have been at the risk of maintaining a secured network. Basically, today’s mobile-enabled workforce walks in and out of your secured network, every day, often uninhibited and unchallenged.
In fact, numerous studies, including those from Forrester Research, Symantec, and the Ponemon Institute, report that insiders are still responsible for a large number of breaches. In Forrester’s 2013 “Understand the State of Data Security And Privacy: 2013 To 2014” report, they found 36% of data breaches were unintentionally caused by employees or contractors. Similarly, a 2014 worldwide study of 341 organizations by the Ponemon Institute found 30% of data breaches could be attributed to non-malicious “human error.” Furthermore, the Forrester study found that 30% of surveyed businesses experienced a breach resulting from phishing attacks.
One of the primary factors Forrester links to “human error” is an increase in mobile device usage:
- Approximately 61% of the information workers studied are using a mobile device to connect to the network
- Around 26% of information workers are using three or more devices to connect to work
- Two thirds (66%) of mobile device users store and transfer data between devices using a USB drive or CD/DVD, while 62% state they transfer data between devices using email attachments
It’s fair to assume a portion of employees connecting to a home network or public WIFI source for work will conduct some level of personal activity, whether it’s online banking, checking email, or surfing the web. It’s even more realistic to assume employees participating in a “bring-your-own-device” environment will conduct both personal and business activities on a mobile device they actually own. In fact, Gartner’s 2013 report “Bring Your Own Device: The Facts and the Future” predicts that by 2017 50% of employers will require employees to provide their own devices. Restricting a personal item to business-only activities is a doomed premise from the start.
How can an organization support a productive mobile-enabled workforce while maintaining a secured network without imposing device policies that may or may not be adhered to? First and foremost, network administrators need to understand the primary avenue of risk for a mobile-enabled employee. It’s the network connected computer that has productivity software installed on it. This is ground zero. It’s where at-risk data is transferred to; where at-risk email attachments get sent; where at-risk files were downloaded when an unsecure WIFI network was accessed; where phishing emails are sent; and, where unpatched, at-risk operating systems are.
How can the potential risks of a mobile-enabled employee wreaking havoc on the network be mitigated? Quite easily actually. It involves the deployment of an endpoint security solution that provides both anti-virus and anti-malware protection, which is managed by a single scanning engine. Having an endpoint security solution installed on a laptop provides protection when connecting at home or during travel. It prevents malware from being installed outside the office and then being walked through the front door of the office. Ensuring that network connected computers have an endpoint security program installed ensures files transferred by USBs, CD/DVDs, or transferred to business email accounts as attachments are detected when transferring to local or network drives.
Therefore, in today’s mobile-enabled workplace, endpoint security software should not be viewed as additional security or complimentary to network security. It should be viewed as a fundamental element of an organization’s network security, data, and privacy plans.
After all, no one wants to be “that employee.” You know the one who inadvertently infects the CEO’s computer.
For information on Kaseya’s endpoint security and other important security solutions, visit us at Kaseya.com. Also, read about the “Five Ways to Reduce the Risk of Cybercrime to Your Business”, and hear industry experts discuss this same topic in our latest security webinar.