Focus on mitigating, not eliminating risk
By Michael Murphy
Can risk ever be eliminated?
Leaders face business risks everyday – operational, reputational, speculative. Rising to the top of the list recently: cybersecurity. External agents are seeking to either disable devices completely, or gain access to privileged data and applications, using common tactics such as malware and phishing.
Breaches result in headaches for security departments and can cost companies millions of dollars.
As today’s workspace evolves, so too must security protocol. The modern workforce expects mobile access across a variety of devices and platforms, with an experience that is convenient, consistent and reliable. And while the technology that enables these capabilities has gotten more sophisticated, so have the threats.
But, contrary to popular perception, a great user experience doesn’t have to be at odds with security. In fact, it can go hand-in-hand if implemented properly – if leaders understand it takes a multipronged, collaborative approach to ensure all bases are covered. There isn’t just one path forward – the best approach to risk management covers five pillars of enterprise security. These are: identity and access; network security; application security; data security; and monitoring and response.
The bottom line is that while risk can never be eliminated completely, it can be mitigated to put IT departments, employees and C-suite executives at ease. Here are some basic components to mitigating cyber threats, highlighting where companies are most vulnerable and how they can close the gaps.
Beyond strong passwords: Protecting access and identity
A single username and password combination won’t cut it when it comes to preventing unauthorized access to apps, data and networks, especially in a time when hackers can compromise security measures such as database encryption. What can companies do?
The first tactic is two-factor authentication before logging into a system or a network. Authentication is based around something the user knows and something the user has (consider when withdrawing from an ATM needing both a code and a card). When implemented, two-factor authentication provides a secondary level of security, and if the primary password is compromised, there is still a safeguard against impersonation. Companies can also implement “the principle of least privilege” where users are authorized for access to the apps, desktop and data that are needed to complete their work – with rights reduced once no longer required. Finally, IT can grant access control on the user context – for example, device, location, user or action. This way, admin can customize access based on security policies, and users can work on any device.
Network access: Guarding the corporate fabric
The network is the fabric that holds the company’s IT together and an error by one employee can take down an entire company’s network. With more third parties accessing networks (such as contractors, vendors and partners), ensuring security best practices are in place is more important than ever.
There are a couple of steps to protecting a network. First, providing encrypted delivery of apps and desktops to employees and third parties – whether they’re in the office or on the go. IT can also use segmentation – which means defining specific “security zones” that can minimize unwanted access to sensitive data, with firewalls and gateways to restrict access.
App security: Making convenience secure
Protecting a company’s mobile productivity apps – which can be email, calendar or contacts – can be complex, especially when they are used across various platforms. When using mobile devices, companies put themselves at risk of attacks and leaks when data is stored on consumer cloud storage, social networks or between apps. This is because with web apps, hackers are connected to databases of sensitive customer and business information. And, similar to networks, this can be risky because employees may access these apps from within and outside corporate networks.
One solution is app virtualization, in which apps are stored in a data centre or cloud, making the infrastructure more secure because there is no transfer of data. With a centralized system, it is less work for IT departments because they can perform patches, updates and other fixes in one sweep. And, even if a device gets hacked or breached, the company data is secure because it’s all stored in the secured data center and not on the device itself.
Data security: Protecting company value
Company data, which can range from marketing and sales information, contracts or business strategies, is at the core of a company – it’s what informs its unique value. It must therefore be closely protected. In recent cyberattacks, personal information held in corporate data repositories has had grave consequences.
Similar to the methods for protecting against app breaches, to lessen the threat of data breaches companies can move to virtualized environments where company data lives in secured, centralized containers that are separate from personal data. Then, IT can block users from taking risks with company data by, for example, opening an email attachment in an app not approved by the company. This is essential in an age of BYOD (bring your own device) when work apps live alongside and can intertwine with personal apps. Secondly, companies can enforce secure file sharing between employees that has security built into it through proper authentication, authorization and encryption.
Analytics and insights: Follow the data
Enforcing a security strategy is not “plug and play” but something that requires constant upkeep. Maintaining compliance and preventing breaches is near impossible without monitoring and detection, even in the most secure spaces.
By using real-time analytics and data, IT can detect attacks and breaches to assist, identify and address application performance and security issues across the network. Companies can also conduct regular auditing and accounting of user access, configuration chances and account management to stay on guard for attacks and compromises. This can include irregular locations, activity or large amounts of data transfer.
These key tenets to security strip away the “one size fits all” thinking of the past – such as a routine security briefing during an onboarding process. Rather, by applying this diverse, contextual approach to keeping employees happy and organizational information safe, leaders can take the first steps to marrying convenience with security.
Michael Murphy is vice-president and country manager of business mobility software company Citrix Canada.